aka: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Zinc, Appleworm, Nickel Academy, APT-C-26, NICKEL GLADSTONE, COVELLITE, ATK3, G0032, ATK117, G0082
Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.
2023-03-20 ⋅ SecurityIntelligence ⋅ John Dwyer @online{dwyer:20230320:when:3f1345c,
author = {John Dwyer},
title = {{When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule}},
date = {2023-03-20},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/},
language = {English},
urldate = {2023-03-21}
}
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule FudModule |
2023-02-23 ⋅ Bitdefender ⋅ Martin Zugec, Bitdefender Team @online{zugec:20230223:technical:710242c,
author = {Martin Zugec and Bitdefender Team},
title = {{Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966}},
date = {2023-02-23},
organization = {Bitdefender},
url = {https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966},
language = {English},
urldate = {2023-02-27}
}
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966 Cobalt Strike DarkComet RATel |
2023-02-23 ⋅ ESET Research ⋅ Vladislav Hrčka @online{hrka:20230223:winordll64:73e8cbf,
author = {Vladislav Hrčka},
title = {{WinorDLL64: A backdoor from the vast Lazarus arsenal?}},
date = {2023-02-23},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2023/02/23/winordll64-backdoor-vast-lazarus-arsenal/},
language = {English},
urldate = {2023-02-27}
}
WinorDLL64: A backdoor from the vast Lazarus arsenal? WinorDLL64 |
2023-02-21 ⋅ SecurityIntelligence ⋅ Ruben Boonen @online{boonen:20230221:direct:6f70379,
author = {Ruben Boonen},
title = {{Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers}},
date = {2023-02-21},
organization = {SecurityIntelligence},
url = {https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/},
language = {English},
urldate = {2023-03-21}
}
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers FudModule |
2023-02-02 ⋅ WithSecure ⋅ Sami Ruohonen, Stephen Robinson @techreport{ruohonen:20230202:no:2a5fce3,
author = {Sami Ruohonen and Stephen Robinson},
title = {{No Pineapple! –DPRK Targeting of Medical Research and Technology Sector}},
date = {2023-02-02},
institution = {WithSecure},
url = {https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf},
language = {English},
urldate = {2023-02-09}
}
No Pineapple! –DPRK Targeting of Medical Research and Technology Sector Dtrack GREASE |
2023-01-05 ⋅ AttackIQ ⋅ Francis Guibernau, Ken Towne @online{guibernau:20230105:emulating:04eb5ed,
author = {Francis Guibernau and Ken Towne},
title = {{Emulating the Highly Sophisticated North Korean Adversary Lazarus Group}},
date = {2023-01-05},
organization = {AttackIQ},
url = {https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/},
language = {English},
urldate = {2023-01-10}
}
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group MagicRAT Tiger RAT |
2022-12-27 ⋅ Kaspersky ⋅ Seongsu Park @online{park:20221227:bluenoroff:383c86f,
author = {Seongsu Park},
title = {{BlueNoroff introduces new methods bypassing MoTW}},
date = {2022-12-27},
organization = {Kaspersky},
url = {https://securelist.com/bluenoroff-methods-bypass-motw/108383/},
language = {English},
urldate = {2022-12-29}
}
BlueNoroff introduces new methods bypassing MoTW LazarLoader |
2022-12-20 ⋅ K7 Security ⋅ Mellvin S @online{s:20221220:lazarus:41a5f95,
author = {Mellvin S},
title = {{Lazarus APT’s Operation Interception Uses Signed Binary}},
date = {2022-12-20},
organization = {K7 Security},
url = {https://labs.k7computing.com/index.php/lazarus-apts-operation-interception-uses-signed-binary/},
language = {English},
urldate = {2022-12-29}
}
Lazarus APT’s Operation Interception Uses Signed Binary Interception |
2022-12-16 ⋅ Sekoia ⋅ Threat & Detection Research Team @online{team:20221216:dprk:4abe047,
author = {Threat & Detection Research Team},
title = {{The DPRK delicate sound of cyber}},
date = {2022-12-16},
organization = {Sekoia},
url = {https://blog.sekoia.io/the-dprk-delicate-sound-of-cyber/},
language = {English},
urldate = {2022-12-29}
}
The DPRK delicate sound of cyber AppleJeus AppleJeus SnatchCrypto |
2022-11-23 ⋅ Twitter (@RedDrip7) ⋅ RedDrip Team @online{team:20221123:tweets:726f590,
author = {RedDrip Team},
title = {{Tweets about potential Lazarus sample}},
date = {2022-11-23},
organization = {Twitter (@RedDrip7)},
url = {https://twitter.com/RedDrip7/status/1595365451495706624},
language = {English},
urldate = {2022-12-20}
}
Tweets about potential Lazarus sample Unidentified 101 (Lazarus?) |
2022-11-21 ⋅ vmware ⋅ Threat Analysis Unit @online{unit:20221121:threat:7972abc,
author = {Threat Analysis Unit},
title = {{Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)}},
date = {2022-11-21},
organization = {vmware},
url = {https://blogs.vmware.com/security/2022/11/threat-analysis-active-c2-discovery-using-protocol-emulation-part4-dacls-aka-mata.html},
language = {English},
urldate = {2022-11-28}
}
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA) Dacls |
2022-11-15 ⋅ Kaspersky Labs ⋅ Konstantin Zykov, Jornt van der Wiel @online{zykov:20221115:dtrack:9f8ed2a,
author = {Konstantin Zykov and Jornt van der Wiel},
title = {{DTrack activity targeting Europe and Latin America}},
date = {2022-11-15},
organization = {Kaspersky Labs},
url = {https://securelist.com/dtrack-targeting-europe-latin-america/107798/},
language = {English},
urldate = {2022-11-18}
}
DTrack activity targeting Europe and Latin America Dtrack |
2022-10-24 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20221024:malware:495a611,
author = {ASEC Analysis Team},
title = {{Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique}},
date = {2022-10-24},
organization = {AhnLab},
url = {https://asec.ahnlab.com/ko/40495/},
language = {Korean},
urldate = {2022-10-25}
}
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique LazarDoor |
2022-10-24 ⋅ Youtube (Virus Bulletin) ⋅ Alexander Adamov @online{adamov:20221024:russian:97d3e2a,
author = {Alexander Adamov},
title = {{Russian wipers in the cyberwar against Ukraine}},
date = {2022-10-24},
organization = {Youtube (Virus Bulletin)},
url = {https://www.youtube.com/watch?v=mrTdSdMMgnk},
language = {English},
urldate = {2023-03-20}
}
Russian wipers in the cyberwar against Ukraine AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate |
2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai, Matěj Havránek @techreport{klnai:20220930:lazarus:efbd75d,
author = {Peter Kálnai and Matěj Havránek},
title = {{Lazarus & BYOVD: evil to the Windows core}},
date = {2022-09-30},
institution = {ESET Research},
url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf},
language = {English},
urldate = {2022-12-24}
}
Lazarus & BYOVD: evil to the Windows core FudModule |
2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai @online{klnai:20220930:amazonthemed:bf959b5,
author = {Peter Kálnai},
title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}},
date = {2022-09-30},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/},
language = {English},
urldate = {2022-12-29}
}
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium BLINDINGCAN FudModule |
2022-09-26 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita @online{iacob:20220926:anatomy:248e6ff,
author = {Ioan Iacob and Iulian Madalin Ionita},
title = {{The Anatomy of Wiper Malware, Part 3: Input/Output Controls}},
date = {2022-09-26},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-3/},
language = {English},
urldate = {2022-09-29}
}
The Anatomy of Wiper Malware, Part 3: Input/Output Controls CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper Meteor Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
2022-09-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team @techreport{team:20220922:analysis:9dea34b,
author = {AhnLab ASEC Analysis Team},
title = {{Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD}},
date = {2022-09-22},
institution = {AhnLab},
url = {https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf},
language = {English},
urldate = {2022-12-29}
}
Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD FudModule |
2022-09-15 ⋅ Symantec ⋅ Threat Hunter Team @online{team:20220915:webworm:500c850,
author = {Threat Hunter Team},
title = {{Webworm: Espionage Attackers Testing and Using Older Modified RATs}},
date = {2022-09-15},
organization = {Symantec},
url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats},
language = {English},
urldate = {2022-09-20}
}
Webworm: Espionage Attackers Testing and Using Older Modified RATs 9002 RAT Ghost RAT Trochilus RAT |
2022-09-14 ⋅ Mandiant ⋅ macla, Mathew Potaczek, Nino Isakovic, Matt Williams, Yash Gupta @online{macla:20220914:its:1d63d78,
author = {macla and Mathew Potaczek and Nino Isakovic and Matt Williams and Yash Gupta},
title = {{It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp}},
date = {2022-09-14},
organization = {Mandiant},
url = {https://www.mandiant.com/resources/blog/dprk-whatsapp-phishing},
language = {English},
urldate = {2022-09-19}
}
It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp BLINDINGCAN |
2022-09-10 ⋅ Malverse ⋅ greenplan @online{greenplan:20220910:realizziamo:2eaa6a4,
author = {greenplan},
title = {{Realizziamo un C&C Server in Python (Bankshot)}},
date = {2022-09-10},
organization = {Malverse},
url = {https://malverse.it/analisi-bankshot-copperhedge},
language = {Italian},
urldate = {2022-09-26}
}
Realizziamo un C&C Server in Python (Bankshot) Bankshot |
2022-09-08 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura @online{an:20220908:lazarus:236b4b4,
author = {Jung soo An and Asheer Malhotra and Vitor Ventura},
title = {{Lazarus and the tale of three RATs}},
date = {2022-09-08},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html},
language = {English},
urldate = {2023-01-19}
}
Lazarus and the tale of three RATs MagicRAT MimiKatz VSingle YamaBot |
2022-09-07 ⋅ Cisco Talos ⋅ Jung soo An, Asheer Malhotra, Vitor Ventura @online{an:20220907:magicrat:efb6a3d,
author = {Jung soo An and Asheer Malhotra and Vitor Ventura},
title = {{MagicRAT: Lazarus’ latest gateway into victim networks}},
date = {2022-09-07},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html},
language = {English},
urldate = {2022-09-16}
}
MagicRAT: Lazarus’ latest gateway into victim networks MagicRAT Tiger RAT |
2022-08-13 ⋅ YoutTube (Blue Team Village) ⋅ Seongsu Park @online{park:20220813:attribution:a689611,
author = {Seongsu Park},
title = {{Attribution and Bias: My terrible mistakes in threat intelligence attribution}},
date = {2022-08-13},
organization = {YoutTube (Blue Team Village)},
url = {https://www.youtube.com/watch?v=rjA0Vf75cYk},
language = {English},
urldate = {2022-09-19}
}
Attribution and Bias: My terrible mistakes in threat intelligence attribution AppleJeus Olympic Destroyer |
2022-08-12 ⋅ CrowdStrike ⋅ Ioan Iacob, Iulian Madalin Ionita @online{iacob:20220812:anatomy:b13ce32,
author = {Ioan Iacob and Iulian Madalin Ionita},
title = {{The Anatomy of Wiper Malware, Part 1: Common Techniques}},
date = {2022-08-12},
organization = {CrowdStrike},
url = {https://www.crowdstrike.com/blog/the-anatomy-of-wiper-malware-part-1/},
language = {English},
urldate = {2023-01-19}
}
The Anatomy of Wiper Malware, Part 1: Common Techniques Apostle CaddyWiper DEADWOOD DistTrack DoubleZero DUSTMAN HermeticWiper IsaacWiper IsraBye KillDisk Meteor Olympic Destroyer Ordinypt Petya Sierra(Alfa,Bravo, ...) StoneDrill WhisperGate ZeroCleare |
2022-08-09 ⋅ Kaspersky ⋅ Kurt Baumgartner, Seongsu Park @online{baumgartner:20220809:andariel:89d6b24,
author = {Kurt Baumgartner and Seongsu Park},
title = {{Andariel deploys DTrack and Maui ransomware}},
date = {2022-08-09},
organization = {Kaspersky},
url = {https://securelist.com/andariel-deploys-dtrack-and-maui-ransomware/107063/},
language = {English},
urldate = {2022-08-11}
}
Andariel deploys DTrack and Maui ransomware Dtrack Maui Ransomware |
2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42 @online{42:20220718:iron:f7586c5,
author = {Unit 42},
title = {{Iron Taurus}},
date = {2022-07-18},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/atoms/iron-taurus/},
language = {English},
urldate = {2022-07-29}
}
Iron Taurus CHINACHOPPER Ghost RAT Wonknu ZXShell APT27 |
2022-07-07 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220707:yamabot:bed4014,
author = {Shusei Tomonaga},
title = {{YamaBot Malware Used by Lazarus}},
date = {2022-07-07},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2022/07/yamabot.html},
language = {English},
urldate = {2022-09-12}
}
YamaBot Malware Used by Lazarus YamaBot |
2022-07-05 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20220705:vsingle:85138e2,
author = {Shusei Tomonaga},
title = {{VSingle malware that obtains C2 server information from GitHub}},
date = {2022-07-05},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2022/07/vsingle.html},
language = {English},
urldate = {2022-07-05}
}
VSingle malware that obtains C2 server information from GitHub VSingle |
2022-06-21 ⋅ Cisco Talos ⋅ Flavio Costa, Chris Neal, Guilherme Venere @online{costa:20220621:avos:b60a2ad,
author = {Flavio Costa and Chris Neal and Guilherme Venere},
title = {{Avos ransomware group expands with new attack arsenal}},
date = {2022-06-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html},
language = {English},
urldate = {2022-06-22}
}
Avos ransomware group expands with new attack arsenal AvosLocker Cobalt Strike DarkComet MimiKatz |
2022-05-23 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220523:operation:e3c402b,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Earth Berberoka}},
date = {2022-05-23},
institution = {Trend Micro},
url = {https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Earth Berberoka reptile oRAT Ghost RAT PlugX pupy Earth Berberoka |
2022-05-09 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20220509:malware:1cdee23,
author = {cocomelonc},
title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}},
date = {2022-05-09},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html},
language = {English},
urldate = {2022-12-01}
}
Malware development: persistence - part 4. Windows services. Simple C++ example. Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu |
2022-05-05 ⋅ NCC Group ⋅ Michael Matthews, Nikolaos Pantazopoulos @online{matthews:20220505:north:22bd1ef,
author = {Michael Matthews and Nikolaos Pantazopoulos},
title = {{North Korea’s Lazarus: their initial access trade-craft using social media and social engineering}},
date = {2022-05-05},
organization = {NCC Group},
url = {https://research.nccgroup.com/2022/05/05/north-koreas-lazarus-and-their-initial-access-trade-craft-using-social-media-and-social-engineering/},
language = {English},
urldate = {2022-05-05}
}
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering LCPDot |
2022-04-27 ⋅ Trend Micro ⋅ Daniel Lunghi, Jaromír Hořejší @online{lunghi:20220427:new:9068f6e,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware}},
date = {2022-04-27},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html},
language = {English},
urldate = {2022-05-04}
}
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware AsyncRAT Ghost RAT PlugX Quasar RAT Earth Berberoka |
2022-04-27 ⋅ Trendmicro ⋅ Daniel Lunghi, Jaromír Hořejší @techreport{lunghi:20220427:operation:bdba881,
author = {Daniel Lunghi and Jaromír Hořejší},
title = {{Operation Gambling Puppet}},
date = {2022-04-27},
institution = {Trendmicro},
url = {https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf},
language = {English},
urldate = {2022-07-25}
}
Operation Gambling Puppet reptile oRAT AsyncRAT Cobalt Strike DCRat Ghost RAT PlugX Quasar RAT Trochilus RAT Earth Berberoka |
2022-04-26 ⋅ Trend Micro ⋅ Ryan Flores, Stephen Hilt, Lord Alfred Remorin @online{flores:20220426:how:28d9476,
author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin},
title = {{How Cybercriminals Abuse Cloud Tunneling Services}},
date = {2022-04-26},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services},
language = {English},
urldate = {2022-05-03}
}
How Cybercriminals Abuse Cloud Tunneling Services AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT |
2022-04-18 ⋅ CISA ⋅ CISA, U.S. Department of the Treasury, FBI @techreport{cisa:20220418:aa22108a:a0a81c6,
author = {CISA and U.S. Department of the Treasury and FBI},
title = {{AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF)}},
date = {2022-04-18},
institution = {CISA},
url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-108A-TraderTraitor-North_Korea_APT_Targets_Blockchain_Companies.pdf},
language = {English},
urldate = {2022-04-20}
}
AA22-108A: TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (PDF) FastCash Bankshot |
2022-04-18 ⋅ CISA ⋅ CISA, FBI, U.S. Department of the Treasury @online{cisa:20220418:alert:dcc72c0,
author = {CISA and FBI and U.S. Department of the Treasury},
title = {{Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies}},
date = {2022-04-18},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-108a},
language = {English},
urldate = {2022-04-25}
}
Alert (AA22-108A): TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies Bankshot |
2022-04-15 ⋅ Center for Internet Security ⋅ CIS @online{cis:20220415:top:62c8245,
author = {CIS},
title = {{Top 10 Malware March 2022}},
date = {2022-04-15},
organization = {Center for Internet Security},
url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022},
language = {English},
urldate = {2023-02-17}
}
Top 10 Malware March 2022 Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus |
2022-04-01 ⋅ The Hacker News ⋅ Ravie Lakshmanan @online{lakshmanan:20220401:chinese:0b445c6,
author = {Ravie Lakshmanan},
title = {{Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit}},
date = {2022-04-01},
organization = {The Hacker News},
url = {https://thehackernews.com/2022/04/chinese-hackers-target-vmware-horizon.html},
language = {English},
urldate = {2022-04-04}
}
Chinese Hackers Target VMware Horizon Servers with Log4Shell to Deploy Rootkit Fire Chili Ghost RAT |
2022-03-31 ⋅ Kaspersky ⋅ GReAT @online{great:20220331:lazarus:540b96e,
author = {GReAT},
title = {{Lazarus Trojanized DeFi app for delivering malware}},
date = {2022-03-31},
organization = {Kaspersky},
url = {https://securelist.com/lazarus-trojanized-defi-app/106195/},
language = {English},
urldate = {2022-04-04}
}
Lazarus Trojanized DeFi app for delivering malware LCPDot |
2022-03-30 ⋅ Fortinet ⋅ Rotem Sde-Or, Eliran Voronovitch @online{sdeor:20220330:new:8eeff0d,
author = {Rotem Sde-Or and Eliran Voronovitch},
title = {{New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits}},
date = {2022-03-30},
organization = {Fortinet},
url = {https://www.fortinet.com/blog/threat-research/deep-panda-log4shell-fire-chili-rootkits},
language = {English},
urldate = {2022-03-31}
}
New Milestones for Deep Panda: Log4Shell and Digitally Signed Fire Chili Rootkits Fire Chili Ghost RAT |
2022-03-17 ⋅ Sophos ⋅ Tilly Travers @online{travers:20220317:ransomware:df38f2f,
author = {Tilly Travers},
title = {{The Ransomware Threat Intelligence Center}},
date = {2022-03-17},
organization = {Sophos},
url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/},
language = {English},
urldate = {2022-03-18}
}
The Ransomware Threat Intelligence Center ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker |
2022-03-16 ⋅ AhnLab ⋅ ASEC Analysis Team @online{team:20220316:gh0stcringe:65e2d3e,
author = {ASEC Analysis Team},
title = {{Gh0stCringe RAT Being Distributed to Vulnerable Database Servers}},
date = {2022-03-16},
organization = {AhnLab},
url = {https://asec.ahnlab.com/en/32572/},
language = {English},
urldate = {2022-04-14}
}
Gh0stCringe RAT Being Distributed to Vulnerable Database Servers Ghost RAT Kingminer |
2022-03-01 ⋅ Github (0xZuk0) ⋅ Dipankar Lama @techreport{lama:20220301:malware:865ab35,
author = {Dipankar Lama},
title = {{Malware Analysis Report: WannaCry Ransomware}},
date = {2022-03-01},
institution = {Github (0xZuk0)},
url = {https://github.com/0xZuk0/rules-of-yaras/blob/main/reports/Wannacry%20Ransomware%20Report.pdf},
language = {English},
urldate = {2022-03-07}
}
Malware Analysis Report: WannaCry Ransomware WannaCryptor |
2022-02-24 ⋅ nviso ⋅ Michel Coene @online{coene:20220224:threat:f0dba09,
author = {Michel Coene},
title = {{Threat Update – Ukraine & Russia conflict}},
date = {2022-02-24},
organization = {nviso},
url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/},
language = {English},
urldate = {2022-03-01}
}
Threat Update – Ukraine & Russia conflict EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate |
2022-02-11 ⋅ Cisco Talos ⋅ Talos @online{talos:20220211:threat:fcad762,
author = {Talos},
title = {{Threat Roundup for February 4 to February 11}},
date = {2022-02-11},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2022/02/threat-roundup-0204-0211.html},
language = {English},
urldate = {2022-02-14}
}
Threat Roundup for February 4 to February 11 DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus |
2022-02-09 ⋅ Sentinel LABS ⋅ Tom Hegel @online{hegel:20220209:modifiedelephant:b004138,
author = {Tom Hegel},
title = {{ModifiedElephant APT and a Decade of Fabricating Evidence}},
date = {2022-02-09},
organization = {Sentinel LABS},
url = {https://www.sentinelone.com/labs/modifiedelephant-apt-and-a-decade-of-fabricating-evidence/},
language = {English},
urldate = {2022-02-14}
}
ModifiedElephant APT and a Decade of Fabricating Evidence DarkComet Incubator NetWire RC ModifiedElephant |
2022-02-09 ⋅ SentinelOne ⋅ Tom Hegel, Juan Andrés Guerrero-Saade @techreport{hegel:20220209:modified:3c039c6,
author = {Tom Hegel and Juan Andrés Guerrero-Saade},
title = {{Modified Elephant APT and a Decade of Fabricating Evidence}},
date = {2022-02-09},
institution = {SentinelOne},
url = {https://www.sentinelone.com/wp-content/uploads/2022/02/Modified-Elephant-APT-and-a-Decade-of-Fabricating-Evidence-SentinelLabs.pdf},
language = {English},
urldate = {2022-02-14}
}
Modified Elephant APT and a Decade of Fabricating Evidence DarkComet Incubator NetWire RC |
2022-01-31 ⋅ Cyber Geeks ⋅ Vlad Pasca @online{pasca:20220131:detailed:262ea52,
author = {Vlad Pasca},
title = {{A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension}},
date = {2022-01-31},
organization = {Cyber Geeks},
url = {https://cybergeeks.tech/a-detailed-analysis-of-lazarus-malware-disguised-as-notepad-shell-extension/},
language = {English},
urldate = {2022-02-02}
}
A Detailed Analysis Of Lazarus APT Malware Disguised As Notepad++ Shell Extension Unidentified 090 (Lazarus) |
2022-01-13 ⋅ Kaspersky Labs ⋅ Seongsu Park, Vitaly Kamluk @online{park:20220113:bluenoroff:a3ce5e4,
author = {Seongsu Park and Vitaly Kamluk},
title = {{The BlueNoroff cryptocurrency hunt is still on}},
date = {2022-01-13},
organization = {Kaspersky Labs},
url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/},
language = {English},
urldate = {2022-01-17}
}
The BlueNoroff cryptocurrency hunt is still on SnatchCrypto |
2021-12-14 ⋅ Trend Micro ⋅ Nick Dai, Ted Lee, Vickie Su @online{dai:20211214:collecting:3d6dd34,
author = {Nick Dai and Ted Lee and Vickie Su},
title = {{Collecting In the Dark: Tropic Trooper Targets Transportation and Government}},
date = {2021-12-14},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html},
language = {English},
urldate = {2022-03-30}
}
Collecting In the Dark: Tropic Trooper Targets Transportation and Government ChiserClient Ghost RAT Lilith Quasar RAT xPack |
2021-10-11 ⋅ Telsy ⋅ Telsy @online{telsy:20211011:lazarus:7e07a1e,
author = {Telsy},
title = {{Lazarus Group continues AppleJeus Operation}},
date = {2021-10-11},
organization = {Telsy},
url = {https://www.telsy.com/download/5394/?uid=28b0a4577e},
language = {English},
urldate = {2021-10-26}
}
Lazarus Group continues AppleJeus Operation AppleJeus |
2021-10-05 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team @online{team:20211005:drawing:e53477d,
author = {The BlackBerry Research & Intelligence Team},
title = {{Drawing a Dragon: Connecting the Dots to Find APT41}},
date = {2021-10-05},
organization = {Blackberry},
url = {https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41},
language = {English},
urldate = {2021-10-11}
}
Drawing a Dragon: Connecting the Dots to Find APT41 Cobalt Strike Ghost RAT |
2021-10-04 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20211004:malware:5ba808a,
author = {Shusei Tomonaga},
title = {{Malware Gh0stTimes Used by BlackTech}},
date = {2021-10-04},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html},
language = {English},
urldate = {2021-10-11}
}
Malware Gh0stTimes Used by BlackTech Gh0stTimes Ghost RAT |
2021-09-07 ⋅ LIFARS ⋅ Vlad Pasca @techreport{pasca:20210907:detailed:2e29866,
author = {Vlad Pasca},
title = {{A Detailed Analysis of Lazarus’ RAT Called FALLCHILL}},
date = {2021-09-07},
institution = {LIFARS},
url = {https://lifars.com/wp-content/uploads/2021/09/Lazarus.pdf},
language = {English},
urldate = {2022-01-20}
}
A Detailed Analysis of Lazarus’ RAT Called FALLCHILL Volgmer |
2021-09-06 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20210906:av:215e5aa,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 2}},
date = {2021-09-06},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html},
language = {English},
urldate = {2022-11-28}
}
AV engines evasion for C++ simple malware: part 2 Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus) |
2021-09-04 ⋅ cocomelonc ⋅ cocomelonc @online{cocomelonc:20210904:av:06b27c5,
author = {cocomelonc},
title = {{AV engines evasion for C++ simple malware: part 1}},
date = {2021-09-04},
organization = {cocomelonc},
url = {https://cocomelonc.github.io/tutorial/2021/09/04/simple-malware-av-evasion.html},
language = {English},
urldate = {2022-11-28}
}
AV engines evasion for C++ simple malware: part 1 4h_rat Azorult BADCALL BadNews BazarBackdoor Cardinal RAT |
2021-08-22 ⋅ Malware and Stuff ⋅ Andreas Klopsch @online{klopsch:20210822:peb:c8b9cea,
author = {Andreas Klopsch},
title = {{PEB: Where Magic Is Stored}},
date = {2021-08-22},
organization = {Malware and Stuff},
url = {https://malwareandstuff.com/peb-where-magic-is-stored/},
language = {English},
urldate = {2021-09-19}
}
PEB: Where Magic Is Stored Dacls |
2021-08-22 ⋅ media.ccc.de ⋅ Lars Wallenborn @online{wallenborn:20210822:bangladesh:46f557f,
author = {Lars Wallenborn},
title = {{The Bangladesh cyber bank robbery: Tracking down major criminals with malware analysis}},
date = {2021-08-22},
organization = {media.ccc.de},
url = {https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch},
language = {German},
urldate = {2021-09-10}
}
The Bangladesh cyber bank robbery: Tracking down major criminals with malware analysis DYEPACK |
2021-08-05 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20210805:ransomware:0962b82,
author = {Brian Krebs},
title = {{Ransomware Gangs and the Name Game Distraction}},
date = {2021-08-05},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/},
language = {English},
urldate = {2021-12-13}
}
Ransomware Gangs and the Name Game Distraction DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet |
2021-07-10 ⋅ Youtube (AhmedS Kasmani) ⋅ AhmedS Kasmani @online{kasmani:20210710:analysis:35afafd,
author = {AhmedS Kasmani},
title = {{Analysis of AppleJeus Malware by Lazarus Group}},
date = {2021-07-10},
organization = {Youtube (AhmedS Kasmani)},
url = {https://www.youtube.com/watch?v=1NkzTKkEM2k},
language = {English},
urldate = {2021-07-20}
}
Analysis of AppleJeus Malware by Lazarus Group AppleJeus |
2021-06-15 ⋅ Kaspersky ⋅ Seongsu Park @online{park:20210615:andariel:1e000a0,
author = {Seongsu Park},
title = {{Andariel evolves to target South Korea with ransomware}},
date = {2021-06-15},
organization = {Kaspersky},
url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/},
language = {English},
urldate = {2021-11-03}
}
Andariel evolves to target South Korea with ransomware BISTROMATH PEBBLEDASH Tiger RAT Unidentified 081 (Andariel Ransomware) |
2021-05-11 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20210511:analysis:d95ef63,
author = {Red Raindrop Team},
title = {{Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait}},
date = {2021-05-11},
organization = {Qianxin},
url = {https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/},
language = {Chinese},
urldate = {2021-06-25}
}
Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait BISTROMATH |
2021-05-05 ⋅ Zscaler ⋅ Aniruddha Dolas, Mohd Sadique, Manohar Ghule @online{dolas:20210505:catching:ace83fc,
author = {Aniruddha Dolas and Mohd Sadique and Manohar Ghule},
title = {{Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats}},
date = {2021-05-05},
organization = {Zscaler},
url = {https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols},
language = {English},
urldate = {2021-05-08}
}
Catching RATs Over Custom Protocols Analysis of top non-HTTP/S threats Agent Tesla AsyncRAT Crimson RAT CyberGate Ghost RAT Nanocore RAT NetWire RC NjRAT Quasar RAT Remcos |
2021-04-28 ⋅ Trend Micro ⋅ Jaromír Hořejší, Joseph C Chen @online{hoej:20210428:water:f769ce2,
author = {Jaromír Hořejší and Joseph C Chen},
title = {{Water Pamola Attacked Online Shops Via Malicious Orders}},
date = {2021-04-28},
organization = {Trend Micro},
url = {https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html},
language = {English},
urldate = {2021-05-04}
}
Water Pamola Attacked Online Shops Via Malicious Orders Ghost RAT |
2021-04-19 ⋅ Malwarebytes ⋅ Hossein Jazi @online{jazi:20210419:lazarus:dd2c372,
author = {Hossein Jazi},
title = {{Lazarus APT conceals malicious code within BMP image to drop its RAT}},
date = {2021-04-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/},
language = {English},
urldate = {2021-06-25}
}
Lazarus APT conceals malicious code within BMP image to drop its RAT BISTROMATH |
2021-04-15 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team @techreport{team:20210415:operation:98f465e,
author = {AhnLab ASEC Analysis Team},
title = {{Operation Dream Job Targeting Job Seekers in South Korea}},
date = {2021-04-15},
institution = {AhnLab},
url = {https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf},
language = {English},
urldate = {2021-05-25}
}
Operation Dream Job Targeting Job Seekers in South Korea LCPDot Torisma |
2021-04-02 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20210402:study:31b191e,
author = {Dr.Web},
title = {{Study of targeted attacks on Russian research institutes}},
date = {2021-04-02},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf},
language = {English},
urldate = {2021-04-06}
}
Study of targeted attacks on Russian research institutes Cotx RAT Ghost RAT TA428 |
2021-03-22 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20210322:lazarus:0adc271,
author = {Shusei Tomonaga},
title = {{Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)}},
date = {2021-03-22},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/03/Lazarus_malware3.html},
language = {English},
urldate = {2021-03-25}
}
Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) VSingle |
2021-03-21 ⋅ Blackberry ⋅ Blackberry Research @techreport{research:20210321:2021:a393473,
author = {Blackberry Research},
title = {{2021 Threat Report}},
date = {2021-03-21},
institution = {Blackberry},
url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf},
language = {English},
urldate = {2021-03-25}
}
2021 Threat Report Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot |
2021-03-15 ⋅ Sophos Labs ⋅ Mark Loman @online{loman:20210315:dearcry:a7ac407,
author = {Mark Loman},
title = {{DearCry ransomware attacks exploit Exchange server vulnerabilities}},
date = {2021-03-15},
organization = {Sophos Labs},
url = {https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/},
language = {English},
urldate = {2021-04-16}
}
DearCry ransomware attacks exploit Exchange server vulnerabilities dearcry WannaCryptor |
2021-03-03 ⋅ SYGNIA ⋅ Amitai Ben Shushan, Noam Lifshitz, Amnon Kushnir, Martin Korman, Boaz Wasserman @online{shushan:20210303:lazarus:60339a7,
author = {Amitai Ben Shushan and Noam Lifshitz and Amnon Kushnir and Martin Korman and Boaz Wasserman},
title = {{Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware}},
date = {2021-03-03},
organization = {SYGNIA},
url = {https://www.sygnia.co/mata-framework},
language = {English},
urldate = {2021-03-04}
}
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware Dacls Dacls Dacls TFlower |
2021-02-28 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20210228:cyber:bd780cd,
author = {PWC UK},
title = {{Cyber Threats 2020: A Year in Retrospect}},
date = {2021-02-28},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf},
language = {English},
urldate = {2021-03-04}
}
Cyber Threats 2020: A Year in Retrospect elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Tonto Team |
2021-02-26 ⋅ YouTube (Black Hat) ⋅ Kevin Perlow @online{perlow:20210226:fastcash:2daf61f,
author = {Kevin Perlow},
title = {{FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud}},
date = {2021-02-26},
organization = {YouTube (Black Hat)},
url = {https://www.youtube.com/watch?v=zGvQPtejX9w},
language = {English},
urldate = {2021-03-04}
}
FASTCash and INJX_Pure: How Threat Actors Use Public Standards for Financial Fraud FastCash |
2021-02-25 ⋅ Kaspersky Labs ⋅ Vyacheslav Kopeytsev, Seongsu Park @online{kopeytsev:20210225:lazarus:c887c21,
author = {Vyacheslav Kopeytsev and Seongsu Park},
title = {{Lazarus targets defense industry with ThreatNeedle}},
date = {2021-02-25},
organization = {Kaspersky Labs},
url = {https://securelist.com/lazarus-threatneedle/100803/},
language = {English},
urldate = {2021-02-25}
}
Lazarus targets defense industry with ThreatNeedle Volgmer |
2021-02-25 ⋅ Intezer ⋅ Intezer @techreport{intezer:20210225:year:eb47cd1,
author = {Intezer},
title = {{Year of the Gopher A 2020 Go Malware Round-Up}},
date = {2021-02-25},
institution = {Intezer},
url = {https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf},
language = {English},
urldate = {2021-06-30}
}
Year of the Gopher A 2020 Go Malware Round-Up NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy |
2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike @techreport{crowdstrike:20210223:2021:bf5bc4f,
author = {CrowdStrike},
title = {{2021 Global Threat Report}},
date = {2021-02-23},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf},
language = {English},
urldate = {2021-02-25}
}
2021 Global Threat Report RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER |
2021-02-22 ⋅ tccontre Blog ⋅ tcontre @online{tcontre:20210222:gh0strat:9f98308,
author = {tcontre},
title = {{Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload}},
date = {2021-02-22},
organization = {tccontre Blog},
url = {https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html},
language = {English},
urldate = {2021-02-25}
}
Gh0stRat Anti-Debugging: Nested SEH (try - catch) to Decrypt and Load its Payload Ghost RAT |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:5fa5db6,
author = {CISA},
title = {{Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048C): AppleJeus: Union Crypto AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:18c1b8e,
author = {CISA},
title = {{Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048B): AppleJeus: JMT Trading AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:191d7ae,
author = {CISA},
title = {{Malware Analysis Report (AR21-048F): AppleJeus: Dorusio}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048F): AppleJeus: Dorusio AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ US-CERT @online{uscert:20210217:alert:3d0afe3,
author = {US-CERT},
title = {{Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa21-048a},
language = {English},
urldate = {2021-02-20}
}
Alert (AA21-048A): AppleJeus: Analysis of North Korea’s Cryptocurrency Malware AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:39df9f4,
author = {CISA},
title = {{Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048A): AppleJeus: Celas Trade Pro AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:5113e30,
author = {CISA},
title = {{Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048E): AppleJeus: CoinGoTrade AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:59e2d5d,
author = {CISA},
title = {{Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048D): AppleJeus: Kupay Wallet AppleJeus AppleJeus |
2021-02-17 ⋅ US-CERT ⋅ CISA @online{cisa:20210217:malware:47648b1,
author = {CISA},
title = {{Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale}},
date = {2021-02-17},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g},
language = {English},
urldate = {2021-02-20}
}
Malware Analysis Report (AR21-048G): AppleJeus: Ants2Whale AppleJeus AppleJeus |
2021-02-01 ⋅ ESET Research ⋅ Ignacio Sanmillan, Matthieu Faou @online{sanmillan:20210201:operation:9e52a78,
author = {Ignacio Sanmillan and Matthieu Faou},
title = {{Operation NightScout: Supply‑chain attack targets online gaming in Asia}},
date = {2021-02-01},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/},
language = {English},
urldate = {2021-02-17}
}
Operation NightScout: Supply‑chain attack targets online gaming in Asia Ghost RAT NoxPlayer Poison Ivy Red Dev 17 |
2021-02-01 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20210201:dprk:e53f059,
author = {Kevin Perlow},
title = {{DPRK Targeting Researchers II: .Sys Payload and Registry Hunting}},
date = {2021-02-01},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/},
language = {English},
urldate = {2021-02-02}
}
DPRK Targeting Researchers II: .Sys Payload and Registry Hunting ComeBacker |
2021-01-30 ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team @online{team:20210130:analysis:2758345,
author = {Microstep online research response team},
title = {{Analysis of Lazarus attacks against security researchers}},
date = {2021-01-30},
organization = {Microstep Intelligence Bureau},
url = {https://www.anquanke.com/post/id/230161},
language = {Chinese},
urldate = {2021-02-02}
}
Analysis of Lazarus attacks against security researchers ComeBacker |
2021-01-29 ⋅ NSFOCUS ⋅ Fuying Laboratory @online{laboratory:20210129:stumbzarusaptlazarus:4d0bf52,
author = {Fuying Laboratory},
title = {{认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析}},
date = {2021-01-29},
organization = {NSFOCUS},
url = {http://blog.nsfocus.net/stumbzarus-apt-lazarus/},
language = {Chinese},
urldate = {2021-02-02}
}
认识STUMBzarus——APT组织Lazarus近期定向攻击组件深入分析 DRATzarus Torisma |
2021-01-28 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team @online{mstic:20210128:zinc:9c8aff4,
author = {Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team},
title = {{ZINC attacks against security researchers}},
date = {2021-01-28},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/},
language = {English},
urldate = {2021-01-29}
}
ZINC attacks against security researchers ComeBacker Klackring |
2021-01-27 ⋅ S2W LAB Inc. ⋅ Sojun Ryu @online{ryu:20210127:how:7dcce24,
author = {Sojun Ryu},
title = {{How to communicate between RAT infected devices (White paper)}},
date = {2021-01-27},
organization = {S2W LAB Inc.},
url = {https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view},
language = {English},
urldate = {2021-01-27}
}
How to communicate between RAT infected devices (White paper) Volgmer |
2021-01-27 ⋅ S2W LAB Inc. ⋅ Sojun Ryu @online{ryu:20210127:analysis:d2bb250,
author = {Sojun Ryu},
title = {{Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers)}},
date = {2021-01-27},
organization = {S2W LAB Inc.},
url = {https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74},
language = {English},
urldate = {2021-01-27}
}
Analysis of THREATNEEDLE C&C Communication (feat. Google TAG Warning to Researchers) Volgmer |
2021-01-26 ⋅ Comae ⋅ Matt Suiche @online{suiche:20210126:pandorabox:0fc91d0,
author = {Matt Suiche},
title = {{PANDORABOX - North Koreans target security researchers}},
date = {2021-01-26},
organization = {Comae},
url = {https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/},
language = {English},
urldate = {2021-01-27}
}
PANDORABOX - North Koreans target security researchers ComeBacker |
2021-01-26 ⋅ One Night in Norfolk ⋅ Kevin Perlow @online{perlow:20210126:dprk:04391b6,
author = {Kevin Perlow},
title = {{DPRK Malware Targeting Security Researchers}},
date = {2021-01-26},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/},
language = {English},
urldate = {2021-01-27}
}
DPRK Malware Targeting Security Researchers ComeBacker |
2021-01-26 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20210126:operation:bc16746,
author = {Shusei Tomonaga},
title = {{Operation Dream Job by Lazarus}},
date = {2021-01-26},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html},
language = {English},
urldate = {2021-01-27}
}
Operation Dream Job by Lazarus LCPDot Torisma Lazarus Group |
2021-01-20 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20210120:commonly:e5a0269,
author = {Shusei Tomonaga},
title = {{Commonly Known Tools Used by Lazarus}},
date = {2021-01-20},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html},
language = {English},
urldate = {2021-01-21}
}
Commonly Known Tools Used by Lazarus Lazarus Group |
2021-01-15 ⋅ Swisscom ⋅ Markus Neis @techreport{neis:20210115:cracking:b1c1684,
author = {Markus Neis},
title = {{Cracking a Soft Cell is Harder Than You Think}},
date = {2021-01-15},
institution = {Swisscom},
url = {https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf},
language = {English},
urldate = {2021-01-18}
}
Cracking a Soft Cell is Harder Than You Think Ghost RAT MimiKatz PlugX Poison Ivy Trochilus RAT |
2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20210109:command:d720b27,
author = {Marco Ramilli},
title = {{Command and Control Traffic Patterns}},
date = {2021-01-09},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/},
language = {English},
urldate = {2021-05-17}
}
Command and Control Traffic Patterns ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot |
2021-01-07 ⋅ Github (hvs-consulting) ⋅ HvS-Consulting AG @online{ag:20210107:lazarus:963b364,
author = {HvS-Consulting AG},
title = {{Lazarus / APT37 IOCs}},
date = {2021-01-07},
organization = {Github (hvs-consulting)},
url = {https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37},
language = {English},
urldate = {2021-01-21}
}
Lazarus / APT37 IOCs Lazarus Group |
2021-01-01 ⋅ Objective-See ⋅ Patrick Wardle @online{wardle:20210101:mac:a6f5a3b,
author = {Patrick Wardle},
title = {{The Mac Malware of 2020 - a comprehensive analysis of the year's new malware}},
date = {2021-01-01},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x5F.html},
language = {English},
urldate = {2021-01-11}
}
The Mac Malware of 2020 - a comprehensive analysis of the year's new malware AppleJeus Dacls EvilQuest FinFisher WatchCat XCSSET |
2020-12-21 ⋅ Cisco Talos ⋅ JON MUNSHAW @online{munshaw:20201221:2020:4a88f84,
author = {JON MUNSHAW},
title = {{2020: The year in malware}},
date = {2020-12-21},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html},
language = {English},
urldate = {2020-12-26}
}
2020: The year in malware WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader |
2020-12-18 ⋅ Seqrite ⋅ Pavankumar Chaudhari @online{chaudhari:20201218:rat:50074a2,
author = {Pavankumar Chaudhari},
title = {{RAT used by Chinese cyberspies infiltrating Indian businesses}},
date = {2020-12-18},
organization = {Seqrite},
url = {https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/},
language = {English},
urldate = {2020-12-18}
}
RAT used by Chinese cyberspies infiltrating Indian businesses Ghost RAT |
2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG @techreport{ag:20201215:greetings:a5b59d9,
author = {HvS-Consulting AG},
title = {{Greetings from Lazarus Anatomy of a cyber espionage campaign}},
date = {2020-12-15},
institution = {HvS-Consulting AG},
url = {https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf},
language = {English},
urldate = {2020-12-16}
}
Greetings from Lazarus Anatomy of a cyber espionage campaign BLINDINGCAN MimiKatz |
2020-12-15 ⋅ HvS-Consulting AG ⋅ HvS-Consulting AG @online{ag:20201215:greetings:452ef44,
author = {HvS-Consulting AG},
title = {{Greetings from Lazarus: Anatomy of a cyber espionage campaign}},
date = {2020-12-15},
organization = {HvS-Consulting AG},
url = {https://www.hvs-consulting.de/lazarus-report/},
language = {English},
urldate = {2021-01-21}
}
Greetings from Lazarus: Anatomy of a cyber espionage campaign BLINDINGCAN MimiKatz Lazarus Group |
2020-12-11 ⋅ PWC UK ⋅ Twitter (@BitsOfBinary) @online{bitsofbinary:20201211:macos:a00d112,
author = {Twitter (@BitsOfBinary)},
title = {{Tweet on macOS Manuscypt samples}},
date = {2020-12-11},
organization = {PWC UK},
url = {https://twitter.com/BitsOfBinary/status/1337330286787518464},
language = {English},
urldate = {2020-12-14}
}
Tweet on macOS Manuscypt samples Manuscrypt |
2020-12-10 ⋅ Intel 471 ⋅ Intel 471 @online{471:20201210:no:9fd2ae1,
author = {Intel 471},
title = {{No pandas, just people: The current state of China’s cybercrime underground}},
date = {2020-12-10},
organization = {Intel 471},
url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/},
language = {English},
urldate = {2020-12-10}
}
No pandas, just people: The current state of China’s cybercrime underground Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT |
2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC @online{uscert:20201210:alert:a5ec77e,
author = {US-CERT and FBI and MS-ISAC},
title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}},
date = {2020-12-10},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a},
language = {English},
urldate = {2020-12-11}
}
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus |
2020-12-09 ⋅ CrowdStrike ⋅ Josh Burgess, Jason Rivera @techreport{burgess:20201209:from:1811e9c,
author = {Josh Burgess and Jason Rivera},
title = {{From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower}},
date = {2020-12-09},
institution = {CrowdStrike},
url = {https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf},
language = {English},
urldate = {2020-12-11}
}
From Zero to SixtyThe Story of North Korea’s Rapid Ascent to Becoming a Global Cyber Superpower FastCash Hermes WannaCryptor |
2020-11-27 ⋅ Macnica ⋅ Hiroshi Takeuchi @online{takeuchi:20201127:analyzing:4089f84,
author = {Hiroshi Takeuchi},
title = {{Analyzing Organizational Invasion Ransom Incidents Using Dtrack}},
date = {2020-11-27},
organization = {Macnica},
url = {https://blog.macnica.net/blog/2020/11/dtrack.html},
language = {Japanese},
urldate = {2020-12-08}
}
Analyzing Organizational Invasion Ransom Incidents Using Dtrack Cobalt Strike Dtrack |
2020-11-27 ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team @online{team:20201127:lazarus:9111581,
author = {Microstep online research response team},
title = {{钱包黑洞:Lazarus 组织近期在加密货币方面的隐蔽攻击活动}},
date = {2020-11-27},
organization = {Microstep Intelligence Bureau},
url = {https://www.anquanke.com/post/id/223817},
language = {Chinese},
urldate = {2020-12-26}
}
钱包黑洞:Lazarus 组织近期在加密货币方面的隐蔽攻击活动 Manuscrypt |
2020-11-21 ⋅ vxhive blog ⋅ 0xastrovax @online{0xastrovax:20201121:deep:89c1a51,
author = {0xastrovax},
title = {{Deep Dive Into HERMES Ransomware}},
date = {2020-11-21},
organization = {vxhive blog},
url = {https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html},
language = {English},
urldate = {2021-12-13}
}
Deep Dive Into HERMES Ransomware Hermes |
2020-11-16 ⋅ ESET Research ⋅ Anton Cherepanov, Peter Kálnai @online{cherepanov:20201116:lazarus:6b90a77,
author = {Anton Cherepanov and Peter Kálnai},
title = {{Lazarus supply‑chain attack in South Korea}},
date = {2020-11-16},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/},
language = {English},
urldate = {2020-11-18}
}
Lazarus supply‑chain attack in South Korea Lazarus Group |
2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax @online{astrovax:20201114:deep:b50ae08,
author = {astrovax},
title = {{Deep Dive Into Ryuk Ransomware}},
date = {2020-11-14},
organization = {Medium 0xastrovax},
url = {https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12},
language = {English},
urldate = {2021-01-25}
}
Deep Dive Into Ryuk Ransomware Hermes Ryuk |
2020-11-12 ⋅ Talos ⋅ Asheer Malhotra @online{malhotra:20201112:crat:1761f4e,
author = {Asheer Malhotra},
title = {{CRAT wants to plunder your endpoints}},
date = {2020-11-12},
organization = {Talos},
url = {https://blog.talosintelligence.com/2020/11/crat-and-plugins.html},
language = {English},
urldate = {2020-11-18}
}
CRAT wants to plunder your endpoints CRAT |
2020-11-05 ⋅ McAfee ⋅ Christiaan Beek, Ryan Sherstobitoff @online{beek:20201105:operation:ca0ac54,
author = {Christiaan Beek and Ryan Sherstobitoff},
title = {{Operation North Star: Behind The Scenes}},
date = {2020-11-05},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/},
language = {English},
urldate = {2022-02-17}
}
Operation North Star: Behind The Scenes Torisma |
2020-11-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20201103:trends:febc159,
author = {GReAT},
title = {{APT trends report Q3 2020}},
date = {2020-11-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q3-2020/99204/},
language = {English},
urldate = {2020-11-04}
}
APT trends report Q3 2020 WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti |
2020-10-28 ⋅ Twitter (@BitsOfBinary) ⋅ John @online{john:20201028:macos:15c0a45,
author = {John},
title = {{Tweet on macOS version of Manuscrypt}},
date = {2020-10-28},
organization = {Twitter (@BitsOfBinary)},
url = {https://twitter.com/BitsOfBinary/status/1321488299932983296},
language = {English},
urldate = {2020-12-03}
}
Tweet on macOS version of Manuscrypt Manuscrypt |
2020-10-27 ⋅ Dr.Web ⋅ Dr.Web @techreport{drweb:20201027:study:9f6e628,
author = {Dr.Web},
title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}},
date = {2020-10-27},
institution = {Dr.Web},
url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf},
language = {English},
urldate = {2020-10-29}
}
Study of the ShadowPad APT backdoor and its relation to PlugX Ghost RAT PlugX ShadowPad |
2020-09-29 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20200929:blindingcan:a85ca22,
author = {Shusei Tomonaga},
title = {{BLINDINGCAN - Malware Used by Lazarus}},
date = {2020-09-29},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html},
language = {English},
urldate = {2020-10-02}
}
BLINDINGCAN - Malware Used by Lazarus BLINDINGCAN Lazarus Group |
2020-09-16 ⋅ Qianxin ⋅ Red Raindrop Team @online{team:20200916:target:a21c14d,
author = {Red Raindrop Team},
title = {{Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons}},
date = {2020-09-16},
organization = {Qianxin},
url = {https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg},
language = {English},
urldate = {2021-01-27}
}
Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons CRAT |
2020-09-15 ⋅ CrowdStrike ⋅ CrowdStrike Overwatch Team @techreport{team:20200915:nowhere:284220e,
author = {CrowdStrike Overwatch Team},
title = {{Nowhere to Hide - 2020 Threat Hunting Report}},
date = {2020-09-15},
institution = {CrowdStrike},
url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf},
language = {English},
urldate = {2020-09-21}
}
Nowhere to Hide - 2020 Threat Hunting Report NedDnLoader RDAT TRACER KITTEN |
2020-08-31 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20200831:blindingcan:cdb0ffc,
author = {Jim Walter},
title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}},
date = {2020-08-31},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/},
language = {English},
urldate = {2020-09-01}
}
The BLINDINGCAN RAT and Malicious North Korean Activity BLINDINGCAN |
2020-08-31 ⋅ JPCERT/CC ⋅ Shusei Tomonaga @online{tomonaga:20200831:malware:18b1228,
author = {Shusei Tomonaga},
title = {{Malware Used by Lazarus after Network Intrusion}},
date = {2020-08-31},
organization = {JPCERT/CC},
url = {https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html},
language = {English},
urldate = {2020-09-04}
}
Malware Used by Lazarus after Network Intrusion Lazarus Group |
2020-08-26 ⋅ CISA ⋅ CISA @online{cisa:20200826:mar103017062v1:e64b3ac,
author = {CISA},
title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}},
date = {2020-08-26},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b},
language = {English},
urldate = {2020-09-01}
}
MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT NACHOCHEESE |
2020-08-26 ⋅ CISA ⋅ CISA @online{cisa:20200826:mar103017061v1:735a8fc,
author = {CISA},
title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}},
date = {2020-08-26},
organization = {CISA},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a},
language = {English},
urldate = {2020-09-01}
}
MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON PSLogger |
2020-08-26 ⋅ CISA ⋅ CISA, U.S. Department of the Treasury, FBI, U.S. Cyber Command @online{cisa:20200826:alert:91b063b,
author = {CISA and U.S. Department of the Treasury and FBI and U.S. Cyber Command},
title = {{Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks}},
date = {2020-08-26},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/aa20-239a},
language = {English},
urldate = {2022-04-20}
}
Alert (AA20-239A): FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks FastCash |
2020-08-19 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200819:malware:63a2025,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-232A)}},
date = {2020-08-19},
organization = {US-CERT},
url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a},
language = {English},
urldate = {2020-09-01}
}
Malware Analysis Report (AR20-232A) Bankshot BLINDINGCAN |
2020-08-13 ⋅ ClearSky ⋅ ClearSky Research Team @techreport{team:20200813:operation:429bf86,
author = {ClearSky Research Team},
title = {{Operation ‘Dream Job’ Widespread North Korean Espionage Campaign}},
date = {2020-08-13},
institution = {ClearSky},
url = {https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf},
language = {English},
urldate = {2020-08-14}
}
Operation ‘Dream Job’ Widespread North Korean Espionage Campaign DRATzarus |
2020-08-05 ⋅ BlackHat ⋅ Kevin Perlow @techreport{perlow:20200805:fastcashand:301d8ce,
author = {Kevin Perlow},
title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}},
date = {2020-08-05},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf},
language = {English},
urldate = {2020-08-14}
}
FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud FastCash |
2020-08-05 ⋅ BlackHat ⋅ Kevin Perlow @techreport{perlow:20200805:fastcash:5e6b73a,
author = {Kevin Perlow},
title = {{FASTCash and Associated Intrusion Techniques}},
date = {2020-08-05},
institution = {BlackHat},
url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf},
language = {English},
urldate = {2020-08-14}
}
FASTCash and Associated Intrusion Techniques FastCash |
2020-08 ⋅ TG Soft ⋅ TG Soft @online{soft:202008:tg:88b671c,
author = {TG Soft},
title = {{TG Soft Cyber - Threat Report}},
date = {2020-08},
organization = {TG Soft},
url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469},
language = {Italian},
urldate = {2020-09-15}
}
TG Soft Cyber - Threat Report DarkComet Darktrack RAT Emotet ISFB |
2020-08 ⋅ Temple University ⋅ CARE @online{care:202008:critical:415c34d,
author = {CARE},
title = {{Critical Infrastructure Ransomware Attacks}},
date = {2020-08},
organization = {Temple University},
url = {https://sites.temple.edu/care/ci-rw-attacks/},
language = {English},
urldate = {2020-09-15}
}
Critical Infrastructure Ransomware Attacks CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor |
2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200729:trends:6810325,
author = {GReAT},
title = {{APT trends report Q2 2020}},
date = {2020-07-29},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2020/97937/},
language = {English},
urldate = {2020-07-30}
}
APT trends report Q2 2020 PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel |
2020-07-29 ⋅ ESET Research ⋅ welivesecurity @techreport{welivesecurity:20200729:threat:496355c,
author = {welivesecurity},
title = {{THREAT REPORT Q2 2020}},
date = {2020-07-29},
institution = {ESET Research},
url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf},
language = {English},
urldate = {2020-07-30}
}
THREAT REPORT Q2 2020 DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor |
2020-07-28 ⋅ Kaspersky Labs ⋅ Ivan Kwiatkowski, Pierre Delcher, Félix Aime @online{kwiatkowski:20200728:lazarus:5b1523a,
author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime},
title = {{Lazarus on the hunt for big game}},
date = {2020-07-28},
organization = {Kaspersky Labs},
url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/},
language = {English},
urldate = {2020-07-30}
}
Lazarus on the hunt for big game Dacls Dacls Dacls VHD Ransomware |
2020-07-28 ⋅ NTT ⋅ NTT Security @online{security:20200728:craftypanda:7643b28,
author = {NTT Security},
title = {{CraftyPanda 標的型攻撃解析レポート}},
date = {2020-07-28},
organization = {NTT},
url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report},
language = {Japanese},
urldate = {2020-07-30}
}
CraftyPanda 標的型攻撃解析レポート Ghost RAT PlugX |
2020-07-27 ⋅ SentinelOne ⋅ Phil Stokes @online{stokes:20200727:four:9d80c60,
author = {Phil Stokes},
title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}},
date = {2020-07-27},
organization = {SentinelOne},
url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/},
language = {English},
urldate = {2020-07-30}
}
Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform AppleJeus Casso Dacls WatchCat |
2020-07-22 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200722:mata:591e184,
author = {GReAT},
title = {{MATA: Multi-platform targeted malware framework}},
date = {2020-07-22},
organization = {Kaspersky Labs},
url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/},
language = {English},
urldate = {2020-07-23}
}
MATA: Multi-platform targeted malware framework Dacls Dacls Dacls |
2020-07-20 ⋅ Risky.biz ⋅ Daniel Gordon @online{gordon:20200720:what:b88e81f,
author = {Daniel Gordon},
title = {{What even is Winnti?}},
date = {2020-07-20},
organization = {Risky.biz},
url = {https://risky.biz/whatiswinnti/},
language = {English},
urldate = {2020-08-18}
}
What even is Winnti? CCleaner Backdoor Ghost RAT PlugX ZXShell |
2020-06-28 ⋅ Twitter (@ccxsaber) ⋅ z3r0 @online{z3r0:20200628:sample:8355378,
author = {z3r0},
title = {{Tweet on Sample}},
date = {2020-06-28},
organization = {Twitter (@ccxsaber)},
url = {https://twitter.com/ccxsaber/status/1277064824434745345},
language = {English},
urldate = {2020-07-15}
}
Tweet on Sample Unidentified 077 (Lazarus Downloader) |
2020-06-23 ⋅ ReversingLabs ⋅ Karlo Zanki @online{zanki:20200623:hidden:807b898,
author = {Karlo Zanki},
title = {{Hidden Cobra - from a shed skin to the viper’s nest}},
date = {2020-06-23},
organization = {ReversingLabs},
url = {https://blog.reversinglabs.com/blog/hidden-cobra},
language = {English},
urldate = {2020-06-23}
}
Hidden Cobra - from a shed skin to the viper’s nest Bankshot PEBBLEDASH TAINTEDSCRIBE |
2020-06-14 ⋅ BushidoToken ⋅ BushidoToken @online{bushidotoken:20200614:deepdive:3a375ca,
author = {BushidoToken},
title = {{Deep-dive: The DarkHotel APT}},
date = {2020-06-14},
organization = {BushidoToken},
url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html},
language = {English},
urldate = {2020-06-16}
}
Deep-dive: The DarkHotel APT Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode) |
2020-06-09 ⋅ Kaspersky Labs ⋅ Costin Raiu @online{raiu:20200609:looking:3038dce,
author = {Costin Raiu},
title = {{Looking at Big Threats Using Code Similarity. Part 1}},
date = {2020-06-09},
organization = {Kaspersky Labs},
url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/},
language = {English},
urldate = {2020-08-18}
}
Looking at Big Threats Using Code Similarity. Part 1 Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel |
2020-06-05 ⋅ Prevailion ⋅ Danny Adamitis @online{adamitis:20200605:gh0st:849c227,
author = {Danny Adamitis},
title = {{The Gh0st Remains the Same}},
date = {2020-06-05},
organization = {Prevailion},
url = {https://www.prevailion.com/the-gh0st-remains-the-same-2/},
language = {English},
urldate = {2022-09-20}
}
The Gh0st Remains the Same Ghost RAT |
2020-06-04 ⋅ PTSecurity ⋅ PT ESC Threat Intelligence @online{intelligence:20200604:covid19:45fa7ba,
author = {PT ESC Threat Intelligence},
title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}},
date = {2020-06-04},
organization = {PTSecurity},
url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/},
language = {English},
urldate = {2020-06-05}
}
COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group Ghost RAT |
2020-05-31 ⋅ Twitter (ShadowChasing1) ⋅ Shadow Chaser Group @online{group:20200531:dtrack:d91f05d,
author = {Shadow Chaser Group},
title = {{Tweet on DTRACK malware}},
date = {2020-05-31},
organization = {Twitter (ShadowChasing1)},
url = {https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20},
language = {English},
urldate = {2021-06-09}
}
Tweet on DTRACK malware Dtrack |
2020-05-20 ⋅ Medium Asuna Amawaka ⋅ Asuna Amawaka @online{amawaka:20200520:what:e02d9a4,
author = {Asuna Amawaka},
title = {{What happened between the BigBadWolf and the Tiger?}},
date = {2020-05-20},
organization = {Medium Asuna Amawaka},
url = {https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2},
language = {English},
urldate = {2021-02-18}
}
What happened between the BigBadWolf and the Tiger? Ghost RAT |
2020-05-14 ⋅ Avast Decoded ⋅ Luigino Camastra @online{camastra:20200514:planted:7b94cc6,
author = {Luigino Camastra},
title = {{APT Group Planted Backdoors Targeting High Profile Networks in Central Asia}},
date = {2020-05-14},
organization = {Avast Decoded},
url = {https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia},
language = {English},
urldate = {2022-07-25}
}
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia BYEBY Ghost RAT Microcin MimiKatz Vicious Panda |
2020-05-12 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200512:mar102888341v1:e6e6a28,
author = {US-CERT},
title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}},
date = {2020-05-12},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a},
language = {English},
urldate = {2020-05-14}
}
MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE Bankshot |
2020-05-11 ⋅ Trend Micro ⋅ Gabrielle Joyce Mabutas, Kazuki Fujisawa @online{mabutas:20200511:new:e25ce4e,
author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa},
title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}},
date = {2020-05-11},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/},
language = {English},
urldate = {2020-05-11}
}
New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability Dacls |
2020-05-11 ⋅ Trend Micro ⋅ Gabrielle Joyce Mabutas, Kazuki Fujisawa @online{mabutas:20200511:new:aa2bbd7,
author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa},
title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}},
date = {2020-05-11},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability},
language = {English},
urldate = {2020-06-03}
}
New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability Dacls |
2020-05-07 ⋅ AVAR ⋅ Mark Lechtik, Ariel Jugnheit @online{lechtik:20200507:north:3cfaf43,
author = {Mark Lechtik and Ariel Jugnheit},
title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}},
date = {2020-05-07},
organization = {AVAR},
url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view},
language = {English},
urldate = {2020-05-07}
}
The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market Volgmer |
2020-05-06 ⋅ Malwarebytes ⋅ Hossein Jazi, Thomas Reed, Jérôme Segura @online{jazi:20200506:new:7723083,
author = {Hossein Jazi and Thomas Reed and Jérôme Segura},
title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}},
date = {2020-05-06},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/},
language = {English},
urldate = {2020-05-07}
}
New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app Dacls |
2020-05-05 ⋅ Objective-See ⋅ Patrick Wardle @online{wardle:20200505:dacls:b9f2391,
author = {Patrick Wardle},
title = {{The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant}},
date = {2020-05-05},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x57.html},
language = {English},
urldate = {2020-05-07}
}
The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant Dacls |
2020-05-04 ⋅ ADEO DFIR ⋅ ADEO DFIR @techreport{dfir:20200504:apt38:53494c3,
author = {ADEO DFIR},
title = {{APT38 Lazarus Threat Analysis Report}},
date = {2020-05-04},
institution = {ADEO DFIR},
url = {https://adeo.com.tr/wp-content/uploads/2020/05/ADEO-Lazarus-APT38.pdf},
language = {English},
urldate = {2023-02-21}
}
APT38 Lazarus Threat Analysis Report BLINDTOAD ELECTRICFISH |
2020-04-16 ⋅ VMWare Carbon Black ⋅ Scott Knight @online{knight:20200416:evolution:39b90c0,
author = {Scott Knight},
title = {{The Evolution of Lazarus}},
date = {2020-04-16},
organization = {VMWare Carbon Black},
url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/},
language = {English},
urldate = {2020-04-17}
}
The Evolution of Lazarus HOTCROISSANT Rifdoor |
2020-04-14 ⋅ Qianxin ⋅ Qi'anxin Threat Intelligence @online{intelligence:20200414:lazarus:e451b26,
author = {Qi'anxin Threat Intelligence},
title = {{The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country}},
date = {2020-04-14},
organization = {Qianxin},
url = {https://www.secrss.com/articles/18635},
language = {Chinese},
urldate = {2021-04-06}
}
The Lazarus APT organization uses the new crown epidemic bait to target a targeted attack analysis of a country CRAT |
2020-04-09 ⋅ suspected.tistory.com ⋅ hmkang92 @online{hmkang92:20200409:malware:ba76407,
author = {hmkang92},
title = {{Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp)}},
date = {2020-04-09},
organization = {suspected.tistory.com},
url = {https://suspected.tistory.com/269},
language = {Korean},
urldate = {2021-04-06}
}
Malware analysis (Emergency inquiry for Coronavirus response in Jeollanam-do.hwp) CRAT |
2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team @online{team:20200305:humanoperated:d90a28e,
author = {Microsoft Threat Protection Intelligence Team},
title = {{Human-operated ransomware attacks: A preventable disaster}},
date = {2020-03-05},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/},
language = {English},
urldate = {2020-03-06}
}
Human-operated ransomware attacks: A preventable disaster Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA |
2020-03-05 ⋅ SophosLabs ⋅ Sergei Shevchenko @techreport{shevchenko:20200305:cloud:e83e58c,
author = {Sergei Shevchenko},
title = {{Cloud Snooper Attack Bypasses AWS Security Measures}},
date = {2020-03-05},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophoslabs-cloud-snooper-report.pdf},
language = {English},
urldate = {2022-01-28}
}
Cloud Snooper Attack Bypasses AWS Security Measures Cloud Snooper Ghost RAT |
2020-03-03 ⋅ PWC UK ⋅ PWC UK @techreport{uk:20200303:cyber:1f1eef0,
author = {PWC UK},
title = {{Cyber Threats 2019:A Year in Retrospect}},
date = {2020-03-03},
institution = {PWC UK},
url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf},
language = {English},
urldate = {2020-03-03}
}
Cyber Threats 2019:A Year in Retrospect KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA |
2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan @online{metaswan:20200226:lazarus:0bf422f,
author = {MetaSwan},
title = {{Lazarus group's Brambul worm of the former Wannacry - 2}},
date = {2020-02-26},
organization = {MetaSwan's Lab},
url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2},
language = {English},
urldate = {2022-03-02}
}
Lazarus group's Brambul worm of the former Wannacry - 2 Brambul |
2020-02-26 ⋅ MetaSwan's Lab ⋅ MetaSwan @online{metaswan:20200226:lazarus:1cacde4,
author = {MetaSwan},
title = {{Lazarus group's Brambul worm of the former Wannacry - 1}},
date = {2020-02-26},
organization = {MetaSwan's Lab},
url = {https://swanleesec.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1},
language = {English},
urldate = {2022-03-02}
}
Lazarus group's Brambul worm of the former Wannacry - 1 Brambul WannaCryptor |
2020-02-25 ⋅ SentinelOne ⋅ Jim Walter @online{walter:20200225:dprk:735f095,
author = {Jim Walter},
title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}},
date = {2020-02-25},
organization = {SentinelOne},
url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/},
language = {English},
urldate = {2020-02-27}
}
DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES |
2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua @online{decapua:20200225:feds:423f929,
author = {Joel DeCapua},
title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}},
date = {2020-02-25},
organization = {RSA Conference},
url = {https://www.youtube.com/watch?v=LUxOcpIRxmg},
language = {English},
urldate = {2020-03-04}
}
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus |
2020-02-22 ⋅ Objective-See ⋅ Patrick Wardle @online{wardle:20200222:weaponizing:ea810ff,
author = {Patrick Wardle},
title = {{Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads}},
date = {2020-02-22},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x54.html},
language = {English},
urldate = {2020-02-27}
}
Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads AppleJeus |
2020-02-19 ⋅ Lexfo ⋅ Lexfo @techreport{lexfo:20200219:lazarus:f293c37,
author = {Lexfo},
title = {{The Lazarus Constellation A study on North Korean malware}},
date = {2020-02-19},
institution = {Lexfo},
url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf},
language = {English},
urldate = {2020-03-11}
}
The Lazarus Constellation A study on North Korean malware FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:e48897a,
author = {US-CERT},
title = {{Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045b},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES SLICKSHOES |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:fd008a7,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045g},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT HOPLIGHT |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:de7cafb,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045f},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE BUFFETLINE |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:43ff8f0,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045e},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE ARTFULPIE |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:315814d,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045C)}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045c},
language = {English},
urldate = {2020-02-14}
}
Malware Analysis Report (AR20-045C) CHEESETRAY |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:8992509,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045d},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT HOTCROISSANT |
2020-02-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20200214:malware:cdab5b7,
author = {US-CERT},
title = {{Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH}},
date = {2020-02-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045a},
language = {English},
urldate = {2020-02-27}
}
Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH BISTROMATH |
2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center @techreport{center:20200213:report:146d333,
author = {Qi Anxin Threat Intelligence Center},
title = {{APT Report 2019}},
date = {2020-02-13},
institution = {Qianxin},
url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf},
language = {English},
urldate = {2020-02-27}
}
APT Report 2019 Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy |
2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz @techreport{kujawa:20200210:2020:3fdaf12,
author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz},
title = {{2020 State of Malware Report}},
date = {2020-02-10},
institution = {Malwarebytes},
url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf},
language = {English},
urldate = {2020-02-13}
}
2020 State of Malware Report magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor |
2020-02-02 ⋅ Youtube (Ghidra Ninja) ⋅ Ghidra Ninja @online{ninja:20200202:reversing:872f4fb,
author = {Ghidra Ninja},
title = {{Reversing WannaCry Part 2 - Diving into the malware with #Ghidra}},
date = {2020-02-02},
organization = {Youtube (Ghidra Ninja)},
url = {https://www.youtube.com/watch?v=Q90uZS3taG0},
language = {English},
urldate = {2020-02-09}
}
Reversing WannaCry Part 2 - Diving into the malware with #Ghidra WannaCryptor |
2020-01-26 ⋅ Brown Farinholt, Mohammad Rezaeirad, Damon McCoy, Kirill Levchenko @techreport{farinholt:20200126:dark:9c2f434,
author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko},
title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}},
date = {2020-01-26},
institution = {},
url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf},
language = {English},
urldate = {2020-03-07}
}
Dark Matter: Uncovering the DarkComet RAT Ecosystem DarkComet |
2020-01-08 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20200108:operation:ea445d5,
author = {GReAT},
title = {{Operation AppleJeus Sequel}},
date = {2020-01-08},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-applejeus-sequel/95596/},
language = {English},
urldate = {2020-01-13}
}
Operation AppleJeus Sequel AppleJeus Unidentified macOS 001 (UnionCryptoTrader) |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dcdc02a,
author = {SecureWorks},
title = {{BRONZE FLEETWOOD}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood},
language = {English},
urldate = {2020-05-23}
}
BRONZE FLEETWOOD Binanen Ghost RAT OrcaRAT APT5 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:41a0bc0,
author = {SecureWorks},
title = {{BRONZE EDISON}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-edison},
language = {English},
urldate = {2020-05-23}
}
BRONZE EDISON Ghost RAT sykipot APT4 SAMURAI PANDA |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:iron:3c939bc,
author = {SecureWorks},
title = {{IRON VIKING}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/iron-viking},
language = {English},
urldate = {2020-05-23}
}
IRON VIKING BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor |
2020-01-01 ⋅ Objective-See ⋅ Patrick Wardle @online{wardle:20200101:mac:1d3cffc,
author = {Patrick Wardle},
title = {{The Mac Malware of 2019}},
date = {2020-01-01},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x53.html},
language = {English},
urldate = {2020-07-20}
}
The Mac Malware of 2019 Gmera Mokes Yort |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:dc58892,
author = {SecureWorks},
title = {{BRONZE GLOBE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-globe},
language = {English},
urldate = {2020-05-23}
}
BRONZE GLOBE EtumBot Ghost RAT APT12 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:aluminum:af22ffd,
author = {SecureWorks},
title = {{ALUMINUM SARATOGA}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga},
language = {English},
urldate = {2020-05-23}
}
ALUMINUM SARATOGA BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:nickel:b8eb4a4,
author = {SecureWorks},
title = {{NICKEL ACADEMY}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/nickel-academy},
language = {English},
urldate = {2020-05-23}
}
NICKEL ACADEMY Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:nickel:bd4482a,
author = {SecureWorks},
title = {{NICKEL GLADSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone},
language = {English},
urldate = {2020-05-23}
}
NICKEL GLADSTONE AlphaNC Bankshot Ratankba Lazarus Group |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:bronze:4db27ec,
author = {SecureWorks},
title = {{BRONZE UNION}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/bronze-union},
language = {English},
urldate = {2020-05-23}
}
BRONZE UNION 9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell APT27 |
2020 ⋅ Secureworks ⋅ SecureWorks @online{secureworks:2020:copper:e356116,
author = {SecureWorks},
title = {{COPPER FIELDSTONE}},
date = {2020},
organization = {Secureworks},
url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone},
language = {English},
urldate = {2020-05-23}
}
COPPER FIELDSTONE Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major |
2019-12-17 ⋅ Netlab ⋅ Jinye, GenShen Ye @online{jinye:20191217:lazarus:f97fffd,
author = {Jinye and GenShen Ye},
title = {{Lazarus Group uses Dacls RAT to attack Linux platform}},
date = {2019-12-17},
organization = {Netlab},
url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/},
language = {Chinese},
urldate = {2020-01-07}
}
Lazarus Group uses Dacls RAT to attack Linux platform Dacls Log Collector Dacls |
2019-12-12 ⋅ FireEye ⋅ Chi-en Shen, Oleg Bondarenko @online{shen:20191212:cyber:e01baca,
author = {Chi-en Shen and Oleg Bondarenko},
title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}},
date = {2019-12-12},
organization = {FireEye},
url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko},
language = {English},
urldate = {2020-04-16}
}
Cyber Threat Landscape in Japan – Revealing Threat in the Shadow Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech |
2019-12-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence Center @online{center:20191212:gallium:79f6460,
author = {Microsoft Threat Intelligence Center},
title = {{GALLIUM: Targeting global telecom}},
date = {2019-12-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/},
language = {English},
urldate = {2022-06-15}
}
GALLIUM: Targeting global telecom CHINACHOPPER Ghost RAT HTran MimiKatz Poison Ivy GALLIUM |
2019-12-03 ⋅ Objective-See ⋅ Objective-See @online{objectivesee:20191203:lazarus:028af2b,
author = {Objective-See},
title = {{Lazarus Group Goes 'Fileless'}},
date = {2019-12-03},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x51.html},
language = {English},
urldate = {2020-01-13}
}
Lazarus Group Goes 'Fileless' Unidentified macOS 001 (UnionCryptoTrader) |
2019-11-21 ⋅ Cyberbit ⋅ Hod Gavriel @online{gavriel:20191121:dtrack:fe6fbbc,
author = {Hod Gavriel},
title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}},
date = {2019-11-21},
organization = {Cyberbit},
url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/},
language = {English},
urldate = {2020-08-21}
}
Dtrack: In-depth analysis of APT on a nuclear power plant Dtrack |
2019-11-21 ⋅ ThreatBook ⋅ ThreatBook @techreport{threatbook:20191121:nightmare:f88dec3,
author = {ThreatBook},
title = {{The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization}},
date = {2019-11-21},
institution = {ThreatBook},
url = {https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf},
language = {English},
urldate = {2022-08-12}
}
The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization SnatchCrypto |
2019-11-19 ⋅ FireEye ⋅ Kelli Vanderlee, Nalani Fraser @techreport{vanderlee:20191119:achievement:6be19eb,
author = {Kelli Vanderlee and Nalani Fraser},
title = {{Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions}},
date = {2019-11-19},
institution = {FireEye},
url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf},
language = {English},
urldate = {2021-03-02}
}
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell |
2019-11-04 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli @online{ramilli:20191104:is:79a8669,
author = {Marco Ramilli},
title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}},
date = {2019-11-04},
organization = {Marco Ramilli's Blog},
url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/},
language = {English},
urldate = {2020-01-07}
}
Is Lazarus/APT38 Targeting Critical Infrastructures? Dtrack |
2019-11-04 ⋅ Tencent ⋅ Tencent Security Mikan TIC @online{tic:20191104:attack:33a29db,
author = {Tencent Security Mikan TIC},
title = {{APT attack group "Higaisa" attack activity disclosed}},
date = {2019-11-04},
organization = {Tencent},
url = {https://s.tencent.com/research/report/836.html},
language = {Chinese},
urldate = {2020-05-13}
}
APT attack group "Higaisa" attack activity disclosed Ghost RAT Higaisa |
2019-11-03 ⋅ Github (jeFF0Falltrades) ⋅ Jeff Archer @online{archer:20191103:dtrack:de46ce3,
author = {Jeff Archer},
title = {{DTrack}},
date = {2019-11-03},
organization = {Github (jeFF0Falltrades)},
url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md},
language = {English},
urldate = {2019-12-18}
}
DTrack Dtrack |
2019-10-31 ⋅ CISA ⋅ CISA @online{cisa:20191031:malware:4eccc2d,
author = {CISA},
title = {{Malware Analysis Report (AR19-304A)}},
date = {2019-10-31},
organization = {CISA},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a},
language = {English},
urldate = {2020-01-09}
}
Malware Analysis Report (AR19-304A) HOPLIGHT |
2019-10-17 ⋅ Vitali Kremez @online{kremez:20191017:lets:d41b75a,
author = {Vitali Kremez},
title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}},
date = {2019-10-17},
url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html},
language = {English},
urldate = {2020-01-08}
}
Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator AppleJeus |
2019-10-12 ⋅ Objective-See ⋅ Patrick Wardle @online{wardle:20191012:pass:9a75bd6,
author = {Patrick Wardle},
title = {{Pass the AppleJeus}},
date = {2019-10-12},
organization = {Objective-See},
url = {https://objective-see.com/blog/blog_0x49.html},
language = {English},
urldate = {2020-01-13}
}
Pass the AppleJeus AppleJeus |
2019-10-11 ⋅ Twitter (@VK_intel) ⋅ Vitali Kremez @online{kremez:20191011:possible:3be065d,
author = {Vitali Kremez},
title = {{Possible Lazarus x86 Malware (AppleJeus)}},
date = {2019-10-11},
organization = {Twitter (@VK_intel)},
url = {https://twitter.com/VK_Intel/status/1182730637016481793},
language = {English},
urldate = {2019-11-23}
}
Possible Lazarus x86 Malware (AppleJeus) AppleJeus |
2019-09-23 ⋅ Kaspersky Labs ⋅ Konstantin Zykov @online{zykov:20190923:hello:a1e9360,
author = {Konstantin Zykov},
title = {{Hello! My name is Dtrack}},
date = {2019-09-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/my-name-is-dtrack/93338/},
language = {English},
urldate = {2020-01-13}
}
Hello! My name is Dtrack Dtrack |
2019-09-23 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190923:apt41:63b9ff7,
author = {MITRE ATT&CK},
title = {{APT41}},
date = {2019-09-23},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0096},
language = {English},
urldate = {2022-08-30}
}
APT41 Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41 |
2019-09-18 ⋅ SophosLabs Uncut ⋅ Peter Mackenzie @online{mackenzie:20190918:wannacry:7aeb8e1,
author = {Peter Mackenzie},
title = {{The WannaCry hangover}},
date = {2019-09-18},
organization = {SophosLabs Uncut},
url = {https://news.sophos.com/en-us/2019/09/18/the-wannacry-hangover/},
language = {English},
urldate = {2022-03-18}
}
The WannaCry hangover WannaCryptor |
2019-09-17 ⋅ Talos ⋅ Christopher Evans, David Liebenberg @online{evans:20190917:cryptocurrency:8f3a9e9,
author = {Christopher Evans and David Liebenberg},
title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}},
date = {2019-09-17},
organization = {Talos},
url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html},
language = {English},
urldate = {2019-10-31}
}
Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda” Ghost RAT |
2019-09-17 ⋅ SophosLabs ⋅ Peter Mackenzie @techreport{mackenzie:20190917:wannacry:250bb80,
author = {Peter Mackenzie},
title = {{WannaCry Aftershock}},
date = {2019-09-17},
institution = {SophosLabs},
url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/WannaCry-Aftershock.pdf},
language = {English},
urldate = {2022-03-22}
}
WannaCry Aftershock WannaCryptor |
2019-09-09 ⋅ CISA ⋅ CISA @online{cisa:20190909:malware:f266520,
author = {CISA},
title = {{Malware Analysis Report (AR19-252A)}},
date = {2019-09-09},
organization = {CISA},
url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a},
language = {English},
urldate = {2020-01-07}
}
Malware Analysis Report (AR19-252A) BADCALL BADCALL |
2019-08-11 ⋅ Twitter (@KevinPerlow) ⋅ Kevin Perlow @online{perlow:20190811:updated:b23bfc9,
author = {Kevin Perlow},
title = {{Updated #Lazarus Keylogger (uploaded June)}},
date = {2019-08-11},
organization = {Twitter (@KevinPerlow)},
url = {https://twitter.com/KevinPerlow/status/1160766519615381504},
language = {English},
urldate = {2022-11-21}
}
Updated #Lazarus Keylogger (uploaded June) PSLogger |
2019-08-01 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190801:trends:5e25d5b,
author = {GReAT},
title = {{APT trends report Q2 2019}},
date = {2019-08-01},
organization = {Kaspersky Labs},
url = {https://securelist.com/apt-trends-report-q2-2019/91897/},
language = {English},
urldate = {2020-08-13}
}
APT trends report Q2 2019 ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy |
2019-07-28 ⋅ Dissecting Malware ⋅ Marius Genheimer @online{genheimer:20190728:third:ede6ba2,
author = {Marius Genheimer},
title = {{Third time's the charm? Analysing WannaCry samples}},
date = {2019-07-28},
organization = {Dissecting Malware},
url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html},
language = {English},
urldate = {2020-03-27}
}
Third time's the charm? Analysing WannaCry samples WannaCryptor |
2019-07-11 ⋅ NTT Security ⋅ NTT Security @online{security:20190711:targeted:a48e692,
author = {NTT Security},
title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}},
date = {2019-07-11},
organization = {NTT Security},
url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor},
language = {English},
urldate = {2019-12-18}
}
Targeted TrickBot activity drops 'PowerBrace' backdoor PowerBrace TrickBot |
2019-05-30 ⋅ Talos Intelligence ⋅ Vanja Svajcer @online{svajcer:20190530:10:82553e1,
author = {Vanja Svajcer},
title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}},
date = {2019-05-30},
organization = {Talos Intelligence},
url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html},
language = {English},
urldate = {2019-11-24}
}
10 years of virtual dynamite: A high-level retrospective of ATM malware FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin |
2019-05-09 ⋅ CISA ⋅ CISA @online{cisa:20190509:malware:0fa3b40,
author = {CISA},
title = {{Malware Analysis Report (AR19-129A)}},
date = {2019-05-09},
organization = {CISA},
url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A},
language = {English},
urldate = {2020-01-08}
}
Malware Analysis Report (AR19-129A) ELECTRICFISH Lazarus Group |
2019-04-25 ⋅ DATANET ⋅ Kim Seon-ae @online{seonae:20190425:chinesebased:fa78904,
author = {Kim Seon-ae},
title = {{Chinese-based hackers attack domestic energy institutions}},
date = {2019-04-25},
organization = {DATANET},
url = {https://www.datanet.co.kr/news/articleView.html?idxno=133346},
language = {Korean},
urldate = {2021-02-09}
}
Chinese-based hackers attack domestic energy institutions CALMTHORN Ghost RAT |
2019-04-24 ⋅ SpecterOps ⋅ Richie Cyrus @online{cyrus:20190424:introducing:f1d4536,
author = {Richie Cyrus},
title = {{Introducing Venator: A macOS tool for proactive detection}},
date = {2019-04-24},
organization = {SpecterOps},
url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56},
language = {English},
urldate = {2020-01-07}
}
Introducing Venator: A macOS tool for proactive detection AppleJeus WindTail |
2019-04-11 ⋅ Computing.co.uk ⋅ Dev Kundaliya @online{kundaliya:20190411:lazarus:2ad8687,
author = {Dev Kundaliya},
title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}},
date = {2019-04-11},
organization = {Computing.co.uk},
url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea},
language = {English},
urldate = {2020-01-06}
}
Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea HOPLIGHT |
2019-04-10 ⋅ One Night in Norfolk ⋅ Norfolk @online{norfolk:20190410:osint:7dfb7d1,
author = {Norfolk},
title = {{OSINT Reporting Regarding DPRK and TA505 Overlap}},
date = {2019-04-10},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/},
language = {English},
urldate = {2020-01-06}
}
OSINT Reporting Regarding DPRK and TA505 Overlap PowerBrace |
2019-04-10 ⋅ The Register ⋅ Shaun Nichols @online{nichols:20190410:lazarus:33958ca,
author = {Shaun Nichols},
title = {{Lazarus Group rises again from the digital grave with Hoplight malware for all}},
date = {2019-04-10},
organization = {The Register},
url = {https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/},
language = {English},
urldate = {2019-12-24}
}
Lazarus Group rises again from the digital grave with Hoplight malware for all Lazarus Group |
2019-04-10 ⋅ US-CERT ⋅ US-CERT @online{uscert:20190410:malware:4946afa,
author = {US-CERT},
title = {{Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT}},
date = {2019-04-10},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-100A},
language = {English},
urldate = {2020-01-09}
}
Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT HOPLIGHT |
2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team @online{team:20190327:elfin:836cc39,
author = {Security Response Attack Investigation Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-01-06}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33 |
2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20190327:elfin:d90a330,
author = {Critical Attack Discovery and Intelligence Team},
title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}},
date = {2019-03-27},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage},
language = {English},
urldate = {2020-04-21}
}
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33 |
2019-03-26 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20190326:cryptocurrency:c95b701,
author = {GReAT},
title = {{Cryptocurrency businesses still being targeted by Lazarus}},
date = {2019-03-26},
organization = {Kaspersky Labs},
url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/},
language = {English},
urldate = {2019-12-20}
}
Cryptocurrency businesses still being targeted by Lazarus Yort Lazarus Group |
2019-03-20 ⋅ Github (649) ⋅ @037 @online{037:20190320:apt38:4c7f1d4,
author = {@037},
title = {{APT38 DYEPACK FRAMEWORK}},
date = {2019-03-20},
organization = {Github (649)},
url = {https://github.com/649/APT38-DYEPACK},
language = {English},
urldate = {2019-12-17}
}
APT38 DYEPACK FRAMEWORK DYEPACK |
2019-03-18 ⋅ DCSO ⋅ DCSO @online{dcso:20190318:enterprise:ff92a62,
author = {DCSO},
title = {{Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware}},
date = {2019-03-18},
organization = {DCSO},
url = {https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/},
language = {English},
urldate = {2021-12-13}
}
Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware Hermes |
2019-03-12 ⋅ Malwarebytes ⋅ William Tsing @online{tsing:20190312:advanced:e68d915,
author = {William Tsing},
title = {{The Advanced Persistent Threat files: Lazarus Group}},
date = {2019-03-12},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/},
language = {English},
urldate = {2019-12-20}
}
The Advanced Persistent Threat files: Lazarus Group Lazarus Group |
2019-02-27 ⋅ Secureworks ⋅ CTU Research Team @online{team:20190227:peek:16c9160,
author = {CTU Research Team},
title = {{A Peek into BRONZE UNION’s Toolbox}},
date = {2019-02-27},
organization = {Secureworks},
url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox},
language = {English},
urldate = {2020-01-07}
}
A Peek into BRONZE UNION’s Toolbox Ghost RAT HyperBro ZXShell |
2019-02-19 ⋅ Check Point Research ⋅ Check Point @online{point:20190219:north:2d1cfbe,
author = {Check Point},
title = {{North Korea Turns Against New Targets?!}},
date = {2019-02-19},
organization = {Check Point Research},
url = {https://research.checkpoint.com/north-korea-turns-against-russian-targets/},
language = {English},
urldate = {2019-10-21}
}
North Korea Turns Against New Targets?! KEYMARBLE |
2019-01-31 ⋅ ESTsecurity ⋅ Alyac @online{alyac:20190131:lazarus:bbb47f8,
author = {Alyac},
title = {{Lazarus APT Organization Attacks with Operation Extreme Job}},
date = {2019-01-31},
organization = {ESTsecurity},
url = {https://blog.alyac.co.kr/2105},
language = {Korean},
urldate = {2019-10-21}
}
Lazarus APT Organization Attacks with Operation Extreme Job CoreDN |
2019-01-30 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Paul Rascagnères, Jungsoo An @online{brumaghin:20190130:fake:3499d4e,
author = {Edmund Brumaghin and Paul Rascagnères and Jungsoo An},
title = {{Fake Cisco Job Posting Targets Korean Candidates}},
date = {2019-01-30},
organization = {Cisco Talos},
url = {https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html},
language = {English},
urldate = {2020-01-10}
}
Fake Cisco Job Posting Targets Korean Candidates CoreDN |
2019-01-29 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20190129:apt38:dcc2df5,
author = {MITRE ATT&CK},
title = {{APT38}},
date = {2019-01-29},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0082},
language = {English},
urldate = {2022-07-13}
}
APT38 Lazarus Group |
2019-01-23 ⋅ NSHC RedAlert Labs ⋅ ThreatRecon Team @online{team:20190123:sectora01:963118e,
author = {ThreatRecon Team},
title = {{SectorA01 Custom Proxy Utility Tool Analysis}},
date = {2019-01-23},
organization = {NSHC RedAlert Labs},
url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/},
language = {English},
urldate = {2019-10-18}
}
SectorA01 Custom Proxy Utility Tool Analysis FastCash |
2019-01-22 ⋅ One Night in Norfolk ⋅ Norfolk @online{norfolk:20190122:lazarus:74b5983,
author = {Norfolk},
title = {{A Lazarus Keylogger- PSLogger}},
date = {2019-01-22},
organization = {One Night in Norfolk},
url = {https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/},
language = {English},
urldate = {2020-01-10}
}
A Lazarus Keylogger- PSLogger PSLogger |
2019-01-16 ⋅ ZDNet ⋅ Catalin Cimpanu @online{cimpanu:20190116:north:8f56bd0,
author = {Catalin Cimpanu},
title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}},
date = {2019-01-16},
organization = {ZDNet},
url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/},
language = {English},
urldate = {2020-01-10}
}
North Korean hackers infiltrate Chile's ATM network after Skype job interview Lazarus Group |
2019-01-15 ⋅ Flashpoint ⋅ Vitali Kremez @online{kremez:20190115:disclosure:0e74c4e,
author = {Vitali Kremez},
title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}},
date = {2019-01-15},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/},
language = {English},
urldate = {2019-08-08}
}
Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties PowerRatankba |
2019-01-07 ⋅ Intezer ⋅ Ignacio Sanmillan @online{sanmillan:20190107:chinaz:50bb5f4,
author = {Ignacio Sanmillan},
title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}},
date = {2019-01-07},
organization = {Intezer},
url = {https://www.intezer.com/blog/malware-analysis/chinaz-relations/},
language = {English},
urldate = {2022-09-20}
}
ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups Ghost RAT |
2019 ⋅ Dragos ⋅ Dragos @online{dragos:2019:adversary:0237a20,
author = {Dragos},
title = {{Adversary Reports}},
date = {2019},
organization = {Dragos},
url = {https://dragos.com/adversaries.html},
language = {English},
urldate = {2020-01-10}
}
Adversary Reports ALLANITE APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm |
2019 ⋅ CISA ⋅ CISA @online{cisa:2019:hidden:52ee565,
author = {CISA},
title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}},
date = {2019},
organization = {CISA},
url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity},
language = {English},
urldate = {2020-01-07}
}
HIDDEN COBRA - North Korean Malicious Cyber Activity Lazarus Group |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:compromise:31bbbf4,
author = {Cyber Operations Tracker},
title = {{Compromise of cryptocurrency exchanges in South Korea}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea},
language = {English},
urldate = {2019-12-20}
}
Compromise of cryptocurrency exchanges in South Korea Lazarus Group |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:operation:207fc18,
author = {Cyber Operations Tracker},
title = {{Operation GhostSecret}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret},
language = {English},
urldate = {2019-12-20}
}
Operation GhostSecret Lazarus Group |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:covellite:a635ad6,
author = {Cyber Operations Tracker},
title = {{Covellite}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/covellite},
language = {English},
urldate = {2019-12-20}
}
Covellite Lazarus Group |
2019-01 ⋅ Journal of Telecommunications and Information Technology ⋅ Maxat Akbanov, Vassilios G. Vassilakis, Michael D. Logothetis @techreport{akbanov:201901:wannacry:60d302c,
author = {Maxat Akbanov and Vassilios G. Vassilakis and Michael D. Logothetis},
title = {{WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms}},
date = {2019-01},
institution = {Journal of Telecommunications and Information Technology},
url = {https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf},
language = {English},
urldate = {2021-01-11}
}
WannaCry Ransomware: Analysis of Infection, Persistence, Recovery Prevention and Propagation Mechanisms WannaCryptor |
2019 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:2019:lazarus:a298c2f,
author = {MITRE ATT&CK},
title = {{Group description: Lazarus Group}},
date = {2019},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0032/},
language = {English},
urldate = {2019-12-20}
}
Group description: Lazarus Group Lazarus Group |
2019 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker @online{tracker:2019:lazarus:f46916d,
author = {Cyber Operations Tracker},
title = {{Lazarus Group}},
date = {2019},
organization = {Council on Foreign Relations},
url = {https://www.cfr.org/interactive/cyber-operations/lazarus-group},
language = {English},
urldate = {2019-12-20}
}
Lazarus Group Lazarus Group |
2018-12-31 ⋅ Github Repository ⋅ Frank Boldewin @online{boldewin:20181231:fastcashmalwaredissected:d72e332,
author = {Frank Boldewin},
title = {{FastCashMalwareDissected}},
date = {2018-12-31},
organization = {Github Repository},
url = {https://github.com/fboldewin/FastCashMalwareDissected/},
language = {English},
urldate = {2019-07-10}
}
FastCashMalwareDissected FastCash |
2018-12-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra @online{sherstobitoff:20181212:operation:df0b2d2,
author = {Ryan Sherstobitoff and Asheer Malhotra},
title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}},
date = {2018-12-12},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/},
language = {English},
urldate = {2020-01-13}
}
‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure Rising Sun Lazarus Group Operation Sharpshooter |
2018-11-20 ⋅ Trend Micro ⋅ Lenart Bermejo, Joelson Soares @online{bermejo:20181120:lazarus:1d8d3b3,
author = {Lenart Bermejo and Joelson Soares},
title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}},
date = {2018-11-20},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/},
language = {English},
urldate = {2020-01-06}
}
Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America BLINDTOAD |
2018-11-17 ⋅ Youtube (Demonslay335) ⋅ Michael Gillespie @online{gillespie:20181117:analyzing:ecd5641,
author = {Michael Gillespie},
title = {{Analyzing Ransomware - Beginner Static Analysis}},
date = {2018-11-17},
organization = {Youtube (Demonslay335)},
url = {https://www.youtube.com/watch?v=9nuo-AGg4p4},
language = {English},
urldate = {2021-12-13}
}
Analyzing Ransomware - Beginner Static Analysis Hermes |
2018-11-08 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team @online{team:20181108:fastcash:acf8e38,
author = {Critical Attack Discovery and Intelligence Team},
title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}},
date = {2018-11-08},
organization = {Symantec},
url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware},
language = {English},
urldate = {2020-04-21}
}
FASTCash: How the Lazarus Group is Emptying Millions from ATMs FastCash Lazarus Group |
2018-11-08 ⋅ Symantec ⋅ Security Response Attack Investigation Team @online{team:20181108:fastcash:ee26edb,
author = {Security Response Attack Investigation Team},
title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}},
date = {2018-11-08},
organization = {Symantec},
url = {https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware},
language = {English},
urldate = {2022-05-03}
}
FASTCash: How the Lazarus Group is Emptying Millions from ATMs FastCash Lazarus Group |
2018-10-08 ⋅ Youtube Video ⋅ Saher Naumaan @online{naumaan:20181008:bsides:26586e2,
author = {Saher Naumaan},
title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}},
date = {2018-10-08},
organization = {Youtube Video},
url = {https://youtu.be/_kzFNQySEMw?t=789},
language = {English},
urldate = {2019-10-15}
}
BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks NESTEGG |
2018-10-03 ⋅ Virus Bulletin ⋅ Peter Kálnai, Michal Poslušný @techreport{klnai:20181003:lazarus:bebf0ad,
author = {Peter Kálnai and Michal Poslušný},
title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}},
date = {2018-10-03},
institution = {Virus Bulletin},
url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf},
language = {English},
urldate = {2020-01-06}
}
LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES HOTWAX |
2018-10-02 ⋅ US-CERT ⋅ US-CERT @online{uscert:20181002:alert:c29ba37,
author = {US-CERT},
title = {{Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign}},
date = {2018-10-02},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA18-275A},
language = {English},
urldate = {2020-01-13}
}
Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign FastCash |
2018-10-02 ⋅ CISA ⋅ Department of Homeland Security (DHS), Department of the Treasury (Treasury), FBI @online{dhs:20181002:alert:6e24ac4,
author = {Department of Homeland Security (DHS) and Department of the Treasury (Treasury) and FBI},
title = {{Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign}},
date = {2018-10-02},
organization = {CISA},
url = {https://www.cisa.gov/uscert/ncas/alerts/TA18-275A},
language = {English},
urldate = {2022-04-20}
}
Alert (TA18-275A): HIDDEN COBRA – FASTCash Campaign FastCash |
2018-10-01 ⋅ Youtube (FireEye Inc.) ⋅ Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary @online{digiamo:20181001:cds:a580f8f,
author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary},
title = {{CDS 2018 | Unmasking APT X}},
date = {2018-10-01},
organization = {Youtube (FireEye Inc.)},
url = {https://youtu.be/8hJyLkLHH8Q?t=1208},
language = {English},
urldate = {2020-01-06}
}
CDS 2018 | Unmasking APT X NESTEGG |
2018-09-19 ⋅ Möbius Strip Reverse Engineering ⋅ Rolf Rolles @online{rolles:20180919:hexrays:1afcc0c,
author = {Rolf Rolles},
title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}},
date = {2018-09-19},
organization = {Möbius Strip Reverse Engineering},
url = {http://www.hexblog.com/?p=1248},
language = {English},
urldate = {2019-10-28}
}
Hex-Rays Microcode API vs. Obfuscating Compiler Ghost RAT |
2018-09-06 ⋅ Department of Justice ⋅ Office of Public Affairs @online{affairs:20180906:north:9b30dd0,
author = {Office of Public Affairs},
title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}},
date = {2018-09-06},
organization = {Department of Justice},
url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and},
language = {English},
urldate = {2020-01-07}
}
North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions Lazarus Group |
2018-08-27 ⋅ DARKReading ⋅ Jai Vijayan @online{vijayan:20180827:north:97ee4d4,
author = {Jai Vijayan},
title = {{North Korean Hacking Group Steals $13.5 Million From Indian Bank}},
date = {2018-08-27},
organization = {DARKReading},
url = {https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678},
language = {English},
urldate = {2020-01-13}
}
North Korean Hacking Group Steals $13.5 Million From Indian Bank Lazarus Group |
2018-08-23 ⋅ Bleeping Computer ⋅ Catalin Cimpanu @online{cimpanu:20180823:lazarus:e929232,
author = {Catalin Cimpanu},
title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}},
date = {2018-08-23},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/},
language = {English},
urldate = {2019-12-20}
}
Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack Lazarus Group |
2018-08-23 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20180823:operation:c1011d3,
author = {GReAT},
title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}},
date = {2018-08-23},
organization = {Kaspersky Labs},
url = {https://securelist.com/operation-applejeus/87553/},
language = {English},
urldate = {2019-12-20}
}
Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware AppleJeus Volgmer Lazarus Group |
2018-08-09 ⋅ CISA ⋅ CISA @online{cisa:20180809:malware:71c0559,
author = {CISA},
title = {{Malware Analysis Report (AR18-221A)}},
date = {2018-08-09},
organization = {CISA},
url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A},
language = {English},
urldate = {2020-01-07}
}
Malware Analysis Report (AR18-221A) KEYMARBLE |
2018-07-30 ⋅ Proofpoint ⋅ Proofpoint Staff @online{staff:20180730:new:07c5e76,
author = {Proofpoint Staff},
title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}},
date = {2018-07-30},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside},
language = {English},
urldate = {2021-12-13}
}
New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign Azorult Hermes |
2018-07-26 ⋅ IEEE Symposium on Security and Privacy (SP) ⋅ Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Kylie McRoberts, Elie Bursztein, Jonathan Levin, Kirill Levchenko, Alex C. Snoeren, Damon McCoy @techreport{huang:20180726:tracking:b51d0ee,
author = {Danny Yuxing Huang and Maxwell Matthaios Aliapoulios and Vector Guo Li and Luca Invernizzi and Kylie McRoberts and Elie Bursztein and Jonathan Levin and Kirill Levchenko and Alex C. Snoeren and Damon McCoy},
title = {{Tracking Ransomware End-to-end}},
date = {2018-07-26},
institution = {IEEE Symposium on Security and Privacy (SP)},
url = {https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf},
language = {English},
urldate = {2021-04-16}
}
Tracking Ransomware End-to-end Cerber Locky WannaCryptor |
2018-06-23 ⋅ AhnLab ⋅ AhnLab @techreport{ahnlab:20180623:full:dced6a4,
author = {AhnLab},
title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}},
date = {2018-06-23},
institution = {AhnLab},
url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf},
language = {English},
urldate = {2019-12-24}
}
Full Discloser of Andariel, A Subgroup of Lazarus Threat Group PhanDoor Rifdoor |
2018-06-13 ⋅ Acalvio ⋅ Team Acalvio @online{acalvio:20180613:lateral:ab17115,
author = {Team Acalvio},
title = {{Lateral Movement Technique Employed by Hidden Cobra}},
date = {2018-06-13},
organization = {Acalvio},
url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/},
language = {English},
urldate = {2020-01-13}
}
Lateral Movement Technique Employed by Hidden Cobra Brambul Joanap |
2018-06-13 ⋅ Threatpost ⋅ Tara Seals @online{seals:20180613:banco:4861a7b,
author = {Tara Seals},
title = {{Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist}},
date = {2018-06-13},
organization = {Threatpost},
url = {https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/},
language = {English},
urldate = {2020-01-13}
}
Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist Lazarus Group |
2018-06-08 ⋅ United States District Court (California) ⋅ Nathan P. Shields, Rozella A. Oliver @online{shields:20180608:complaint:8b4b2dc,
author = {Nathan P. Shields and Rozella A. Oliver},
title = {{Complaint against Jin Hyok Park}},
date = {2018-06-08},
organization = {United States District Court (California)},
url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html},
language = {English},
urldate = {2020-01-08}
}
Complaint against Jin Hyok Park NESTEGG |
2018-06-07 ⋅ Trend Micro ⋅ Fernando Mercês @online{mercs:20180607:new:760f179,
author = {Fernando Mercês},
title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}},
date = {2018-06-07},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/},
language = {English},
urldate = {2020-01-09}
}
New KillDisk Variant Hits Latin American Financial Organizations Again BOOTWRECK |
2018-05-29 ⋅ Bloomberg ⋅ Michelle Davis @online{davis:20180529:mexico:d40bc2d,
author = {Michelle Davis},
title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}},
date = {2018-05-29},
organization = {Bloomberg},
url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret},
language = {English},
urldate = {2020-01-07}
}
Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret Lazarus Group |
2018-05-29 ⋅ US-CERT ⋅ US-CERT @online{uscert:20180529:mar101355363:6ee74d8,
author = {US-CERT},
title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}},
date = {2018-05-29},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A},
language = {English},
urldate = {2019-10-13}
}
MAR-10135536-3 - HIDDEN COBRA RAT/Worm Brambul Joanap |
2018-05-29 ⋅ US-CERT ⋅ US-CERT @online{uscert:20180529:alert:9ab63c1,
author = {US-CERT},
title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}},
date = {2018-05-29},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA18-149A},
language = {English},
urldate = {2020-01-10}
}
Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm Brambul Joanap |
2018-05-03 ⋅ McAfee ⋅ Ryan Sherstobitoff, Itai Liba, James Walter @techreport{sherstobitoff:20180503:dissecting:13102f0,
author = {Ryan Sherstobitoff and Itai Liba and James Walter},
title = {{Dissecting Operation Troy: Cyberespionage in South Korea}},
date = {2018-05-03},
institution = {McAfee},
url = {https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf},
language = {English},
urldate = {2020-01-10}
}
Dissecting Operation Troy: Cyberespionage in South Korea concealment_troy http_troy Lazarus Group |
2018-04-27 ⋅ Bleeping Computer ⋅ Catalin Cimpanu @online{cimpanu:20180427:north:b7ed973,
author = {Catalin Cimpanu},
title = {{North Korean Hackers Are up to No Good Again}},
date = {2018-04-27},
organization = {Bleeping Computer},
url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/},
language = {English},
urldate = {2019-12-20}
}
North Korean Hackers Are up to No Good Again Lazarus Group |
2018-04-24 ⋅ McAfee ⋅ Ryan Sherstobitoff @online{sherstobitoff:20180424:analyzing:4383088,
author = {Ryan Sherstobitoff},
title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}},
date = {2018-04-24},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/},
language = {English},
urldate = {2023-02-27}
}
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide GhostSecret |
2018-04-24 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra @online{sherstobitoff:20180424:analyzing:9aac21f,
author = {Ryan Sherstobitoff and Asheer Malhotra},
title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}},
date = {2018-04-24},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/},
language = {English},
urldate = {2020-01-10}
}
Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide Lazarus Group |
2018-04-20 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180420:decoding:b4ca1d1,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-20},
organization = {NCC Group},
url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-10-07}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-04-17 ⋅ NCC Group ⋅ Nikolaos Pantazopoulos @online{pantazopoulos:20180417:decoding:7d5f713,
author = {Nikolaos Pantazopoulos},
title = {{Decoding network data from a Gh0st RAT variant}},
date = {2018-04-17},
organization = {NCC Group},
url = {https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/},
language = {English},
urldate = {2022-09-20}
}
Decoding network data from a Gh0st RAT variant Ghost RAT APT27 |
2018-04-03 ⋅ ESET Research ⋅ Peter Kálnai, Anton Cherepanov @online{klnai:20180403:lazarus:14ff18c,
author = {Peter Kálnai and Anton Cherepanov},
title = {{Lazarus KillDisks Central American casino}},
date = {2018-04-03},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/},
language = {English},
urldate = {2019-11-14}
}
Lazarus KillDisks Central American casino KillDisk Lazarus Group |
2018-03-28 ⋅ Intezer ⋅ Jay Rosenberg @online{rosenberg:20180328:lazarus:307e39e,
author = {Jay Rosenberg},
title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}},
date = {2018-03-28},
organization = {Intezer},
url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/},
language = {English},
urldate = {2019-11-27}
}
Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies Unidentified 042 |
2018-03-08 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra, Charles Crawford, Jessica Saavedra-Morales @online{sherstobitoff:20180308:hidden:c1459ef,
author = {Ryan Sherstobitoff and Asheer Malhotra and Charles Crawford and Jessica Saavedra-Morales},
title = {{Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant}},
date = {2018-03-08},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/},
language = {English},
urldate = {2019-10-14}
}
Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant Lazarus Group |
2018-03 ⋅ Kaspersky Labs ⋅ Kaspersky Lab Global Research, Analysis Team @techreport{research:201803:lazarus:9dd4571,
author = {Kaspersky Lab Global Research and Analysis Team},
title = {{Lazarus under the Hood}},
date = {2018-03},
institution = {Kaspersky Labs},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf},
language = {English},
urldate = {2019-11-28}
}
Lazarus under the Hood NESTEGG |
2018-03 ⋅ Kaspersky Labs ⋅ Kaspersky Lab @techreport{lab:201803:lazarus:3fd5ac4,
author = {Kaspersky Lab},
title = {{Lazarus under the Hood}},
date = {2018-03},
institution = {Kaspersky Labs},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf},
language = {English},
urldate = {2020-01-07}
}
Lazarus under the Hood HOTWAX REDSHAWL WORMHOLE |
2018-03-01 ⋅ Dragos ⋅ Dragos @techreport{dragos:20180301:industrial:6e4e898,
author = {Dragos},
title = {{INDUSTRIAL CONTROL SYSTEM THREATS}},
date = {2018-03-01},
institution = {Dragos},
url = {https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf},
language = {English},
urldate = {2020-01-08}
}
INDUSTRIAL CONTROL SYSTEM THREATS APT33 CHRYSENE ENERGETIC BEAR Lazarus Group Sandworm |
2018-02-12 ⋅ McAfee ⋅ Ryan Sherstobitoff, Asheer Malhotra, Jessica Saavedra-Morales, Thomas Roccia @online{sherstobitoff:20180212:lazarus:0c034e1,
author = {Ryan Sherstobitoff and Asheer Malhotra and Jessica Saavedra-Morales and Thomas Roccia},
title = {{Lazarus Resurfaces, Targets Global Banks and Bitcoin Users}},
date = {2018-02-12},
organization = {McAfee},
url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/},
language = {English},
urldate = {2020-10-28}
}
Lazarus Resurfaces, Targets Global Banks and Bitcoin Users CoreDN |
2018-02-11 ⋅ Symantec ⋅ Ling Zhou @online{zhou:20180211:technical:56dd35c,
author = {Ling Zhou},
title = {{Technical Description: Downloader.Jelous}},
date = {2018-02-11},
organization = {Symantec},
url = {https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription},
language = {English},
urldate = {2020-01-13}
}
Technical Description: Downloader.Jelous CoreDN |
2018-02-05 ⋅ US-CERT ⋅ Unknown Unknown @techreport{unknown:20180205:hidden:3e1e07e,
author = {Unknown Unknown},
title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}},
date = {2018-02-05},
institution = {US-CERT},
url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf},
language = {English},
urldate = {2019-12-20}
}
HIDDEN COBRA - North Korean Malicious Cyber Activity HARDRAIN HARDRAIN |
2018-02-01 ⋅ Bitdefender ⋅ Bitdefender Team @techreport{team:20180201:operation:e76f179,
author = {Bitdefender Team},
title = {{Operation PZCHAO Inside a highly specialized espionage infrastructure}},
date = {2018-02-01},
institution = {Bitdefender},
url = {https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf},
language = {English},
urldate = {2022-09-20}
}
Operation PZCHAO Inside a highly specialized espionage infrastructure Ghost RAT APT27 |
2018-01-29 ⋅ Proofpoint ⋅ Darien Huss @techreport{huss:20180129:north:438b45d,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2018-01-29},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf},
language = {English},
urldate = {2020-01-05}
}
North Korea Bitten by Bitcoin Bug Bitsran |
2018-01-24 ⋅ Trend Micro ⋅ Trendmicro @online{trendmicro:20180124:look:fa400c7,
author = {Trendmicro},
title = {{A Look into the Lazarus Group’s Operations}},
date = {2018-01-24},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations},
language = {English},
urldate = {2019-12-04}
}
A Look into the Lazarus Group’s Operations Lazarus Group |
2018-01-24 ⋅ Trend Micro ⋅ CH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin, Razor Huang @online{lei:20180124:lazarus:63d2701,
author = {CH Lei and Fyodor Yarochkin and Lenart Bermejo and Philippe Z Lin and Razor Huang},
title = {{Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More}},
date = {2018-01-24},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/},
language = {English},
urldate = {2020-01-08}
}
Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More PowerRatankba |
2018-01-15 ⋅ Trend Micro ⋅ Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira @online{sison:20180115:new:15ece8f,
author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira},
title = {{New KillDisk Variant Hits Financial Organizations in Latin America}},
date = {2018-01-15},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/},
language = {English},
urldate = {2020-01-06}
}
New KillDisk Variant Hits Financial Organizations in Latin America KillDisk Lazarus Group |
2018-01-04 ⋅ Malware Traffic Analysis ⋅ Brad Duncan @online{duncan:20180104:malspam:ce2dfac,
author = {Brad Duncan},
title = {{MALSPAM PUSHING PCRAT/GH0ST}},
date = {2018-01-04},
organization = {Malware Traffic Analysis},
url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html},
language = {English},
urldate = {2019-12-24}
}
MALSPAM PUSHING PCRAT/GH0ST Ghost RAT |
2018-01-01 ⋅ McAfee ⋅ Ryan Sherstobitoff, Itai Liba, James Walter @techreport{sherstobitoff:20180101:dissecting:73712a7,
author = {Ryan Sherstobitoff and Itai Liba and James Walter},
title = {{Dissecting Operation Troy: Cyberespionage in South Korea}},
date = {2018-01-01},
institution = {McAfee},
url = {http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf},
language = {English},
urldate = {2019-10-15}
}
Dissecting Operation Troy: Cyberespionage in South Korea Lazarus Group |
2018 ⋅ FireEye ⋅ FireEye @online{fireeye:2018:apt38:20161b7,
author = {FireEye},
title = {{APT38}},
date = {2018},
organization = {FireEye},
url = {https://content.fireeye.com/apt/rpt-apt38},
language = {English},
urldate = {2020-01-13}
}
APT38 Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group |
2018 ⋅ FireEye ⋅ FireEye @techreport{fireeye:2018:apt38:c81b87d,
author = {FireEye},
title = {{APT38}},
date = {2018},
institution = {FireEye},
url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf},
language = {English},
urldate = {2020-01-07}
}
APT38 CHEESETRAY CLEANTOAD NACHOCHEESE |
2017-12-20 ⋅ RiskIQ ⋅ Yonathan Klijnsma @online{klijnsma:20171220:mining:4b3dc11,
author = {Yonathan Klijnsma},
title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}},
date = {2017-12-20},
organization = {RiskIQ},
url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/},
language = {English},
urldate = {2020-01-13}
}
Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry PowerRatankba |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @online{huss:20171219:north:e5ef6da,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}},
date = {2017-12-19},
organization = {Proofpoint},
url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new},
language = {English},
urldate = {2019-12-20}
}
North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group Ghost RAT |
2017-12-19 ⋅ Proofpoint ⋅ Darien Huss @techreport{huss:20171219:north:b2da03e,
author = {Darien Huss},
title = {{North Korea Bitten by Bitcoin Bug}},
date = {2017-12-19},
institution = {Proofpoint},
url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf},
language = {English},
urldate = {2019-10-18}
}
North Korea Bitten by Bitcoin Bug QUICKCAFE PowerSpritz Ghost RAT PowerRatankba |
2017-12-13 ⋅ US-CERT ⋅ US-CERT @techreport{uscert:20171213:malware:89db625,
author = {US-CERT},
title = {{Malware Analysis Report (MAR) - 10135536-B}},
date = {2017-12-13},
institution = {US-CERT},
url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF},
language = {English},
urldate = {2020-01-08}
}
Malware Analysis Report (MAR) - 10135536-B Bankshot |
2017-11-20 ⋅ McAfee ⋅ Inhee Han @online{han:20171120:android:c3f825c,
author = {Inhee Han},
title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}},
date = {2017-11-20},
organization = {McAfee},
url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990},
language = {English},
urldate = {2019-12-17}
}
Android Malware Appears Linked to Lazarus Cybercrime Group HARDRAIN |
2017-11-20 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza, Juan Cortes, Micah Yates @online{kasza:20171120:operation:0bc8efe,
author = {Anthony Kasza and Juan Cortes and Micah Yates},
title = {{Operation Blockbuster Goes Mobile}},
date = {2017-11-20},
organization = {Palo Alto Networks Unit 42},
url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/},
language = {English},
urldate = {2019-12-24}
}
Operation Blockbuster Goes Mobile HARDRAIN |
2017-11-14 ⋅ Department of Homeland Security ⋅ Department of Homeland Security @online{security:20171114:hidden:a45c30a,
author = {Department of Homeland Security},
title = {{HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL}},
date = {2017-11-14},
organization = {Department of Homeland Security},
url = {https://www.us-cert.gov/ncas/alerts/TA17-318A},
language = {English},
urldate = {2019-11-28}
}
HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL Lazarus Group |
2017-11-14 ⋅ US-CERT ⋅ US-CERT @online{uscert:20171114:alert:4bf4ff5,
author = {US-CERT},
title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}},
date = {2017-11-14},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-318B},
language = {English},
urldate = {2020-01-08}
}
Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer Volgmer Lazarus Group |
2017-10-27 ⋅ Independent.co.uk ⋅ Adam Withnall @online{withnall:20171027:british:18c1e9a,
author = {Adam Withnall},
title = {{British security minister says North Korea was behind WannaCry hack on NHS}},
date = {2017-10-27},
organization = {Independent.co.uk},
url = {http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html},
language = {English},
urldate = {2020-01-07}
}
British security minister says North Korea was behind WannaCry hack on NHS WannaCryptor |
2017-10-16 ⋅ Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong @online{shevchenko:20171016:taiwan:081b125,
author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong},
title = {{Taiwan Heist: Lazarus Tools and Ransomware}},
date = {2017-10-16},
url = {http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html},
language = {English},
urldate = {2020-01-07}
}
Taiwan Heist: Lazarus Tools and Ransomware Bitsran Hermes |
2017-10-16 ⋅ BAE Systems ⋅ Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong @online{shevchenko:20171016:taiwan:cb91378,
author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong},
title = {{Taiwan Heist: Lazarus Tools and Ransomware}},
date = {2017-10-16},
organization = {BAE Systems},
url = {https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html},
language = {English},
urldate = {2020-01-06}
}
Taiwan Heist: Lazarus Tools and Ransomware BLINDTOAD Lazarus Group |
2017-08-25 ⋅ Kaspersky Labs ⋅ Juan Andrés Guerrero-Saade, Costin Raiu @techreport{guerrerosaade:20170825:walking:040671b,
author = {Juan Andrés Guerrero-Saade and Costin Raiu},
title = {{Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell}},
date = {2017-08-25},
institution = {Kaspersky Labs},
url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf},
language = {English},
urldate = {2022-10-06}
}
Walking in your Enemy's Shadow: When Fourth-Party Collection becomes Attribution Hell NetTraveler RCS WannaCryptor Dancing Salome |
2017-08-14 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza @online{kasza:20170814:blockbuster:79266d5,
author = {Anthony Kasza},
title = {{The Blockbuster Saga Continues}},
date = {2017-08-14},
organization = {Palo Alto Networks Unit 42},
url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/},
language = {English},
urldate = {2019-12-20}
}
The Blockbuster Saga Continues HOPLIGHT |
2017-06-13 ⋅ US-CERT ⋅ US-CERT @online{uscert:20170613:hidden:4f15d2c,
author = {US-CERT},
title = {{HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure}},
date = {2017-06-13},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA17-164A},
language = {English},
urldate = {2020-01-06}
}
HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure Lazarus Group |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:axiom:b181fdb,
author = {MITRE ATT&CK},
title = {{Axiom}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0001/},
language = {English},
urldate = {2022-08-30}
}
Axiom Derusbi 9002 RAT BLACKCOFFEE Derusbi Ghost RAT HiKit PlugX ZXShell APT17 |
2017-05-31 ⋅ MITRE ⋅ MITRE @online{mitre:20170531:apt18:deb24dc,
author = {MITRE},
title = {{APT18}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0026},
language = {English},
urldate = {2022-07-05}
}
APT18 Ghost RAT HttpBrowser APT18 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:lazarus:9e5ef58,
author = {MITRE ATT&CK},
title = {{Lazarus Group}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0032},
language = {English},
urldate = {2022-07-13}
}
Lazarus Group Lazarus Group |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:pittytiger:cac6452,
author = {MITRE ATT&CK},
title = {{PittyTiger}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0011},
language = {English},
urldate = {2022-08-30}
}
PittyTiger Enfal Ghost RAT MimiKatz Poison Ivy APT24 |
2017-05-31 ⋅ MITRE ⋅ MITRE ATT&CK @online{attck:20170531:sandworm:1a9a446,
author = {MITRE ATT&CK},
title = {{Sandworm Team}},
date = {2017-05-31},
organization = {MITRE},
url = {https://attack.mitre.org/groups/G0034},
language = {English},
urldate = {2022-08-25}
}
Sandworm Team CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm |
2017-05-25 ⋅ Flashpoint ⋅ Flashpoint @online{flashpoint:20170525:linguistic:70ffc44,
author = {Flashpoint},
title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}},
date = {2017-05-25},
organization = {Flashpoint},
url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/},
language = {English},
urldate = {2019-12-10}
}
Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors WannaCryptor |
2017-05-25 ⋅ Symantec ⋅ Security Response @online{response:20170525:lazarus:4d00eab,
author = {Security Response},
title = {{Lazarus: History of mysterious group behind infamous cyber attacks}},
date = {2017-05-25},
organization = {Symantec},
url = {https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c},
language = {English},
urldate = {2020-01-08}
}
Lazarus: History of mysterious group behind infamous cyber attacks Lazarus Group |
2017-05-22 ⋅ Symantec ⋅ Symantec Security Response @online{response:20170522:wannacry:f66a95e,
author = {Symantec Security Response},
title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}},
date = {2017-05-22},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group},
language = {English},
urldate = {2020-01-06}
}
WannaCry: Ransomware attacks show strong links to Lazarus group AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor |
2017-05-19 ⋅ Comae ⋅ Matt Suiche @online{suiche:20170519:wannacry:81703ac,
author = {Matt Suiche},
title = {{WannaCry — Decrypting files with WanaKiwi + Demos}},
date = {2017-05-19},
organization = {Comae},
url = {https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d},
language = {English},
urldate = {2019-10-25}
}
WannaCry — Decrypting files with WanaKiwi + Demos WannaCryptor |
2017-05-19 ⋅ Malwarebytes ⋅ Adam McNeil @online{mcneil:20170519:how:fac33a7,
author = {Adam McNeil},
title = {{How did the WannaCry ransomworm spread?}},
date = {2017-05-19},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/},
language = {English},
urldate = {2019-12-20}
}
How did the WannaCry ransomworm spread? WannaCryptor |
2017-05-16 ⋅ Sergei Shevchenko, Adrian Nish @online{shevchenko:20170516:wannacryptor:8bc9235,
author = {Sergei Shevchenko and Adrian Nish},
title = {{Wannacryptor Ransomworm}},
date = {2017-05-16},
url = {https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html},
language = {English},
urldate = {2020-01-07}
}
Wannacryptor Ransomworm WannaCryptor |
2017-05-14 ⋅ Comae ⋅ Matt Suiche @online{suiche:20170514:wannacry:b2c62ca,
author = {Matt Suiche},
title = {{WannaCry — New Variants Detected!}},
date = {2017-05-14},
organization = {Comae},
url = {https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e},
language = {English},
urldate = {2020-01-08}
}
WannaCry — New Variants Detected! WannaCryptor |
2017-05-13 ⋅ MalwareTech ⋅ MalwareTech @online{malwaretech:20170513:how:1036ae2,
author = {MalwareTech},
title = {{How to Accidentally Stop a Global Cyber Attacks}},
date = {2017-05-13},
organization = {MalwareTech},
url = {https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html},
language = {English},
urldate = {2019-11-25}
}
How to Accidentally Stop a Global Cyber Attacks WannaCryptor |
2017-05-12 ⋅ Microsoft ⋅ Karthik Selvaraj, Elia Florio, Andrea Lelli, Tanmay Ganacharya @online{selvaraj:20170512:wannacrypt:9604786,
author = {Karthik Selvaraj and Elia Florio and Andrea Lelli and Tanmay Ganacharya},
title = {{WannaCrypt ransomware worm targets out-of-date systems}},
date = {2017-05-12},
organization = {Microsoft},
url = {https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/},
language = {English},
urldate = {2020-03-06}
}
WannaCrypt ransomware worm targets out-of-date systems WannaCryptor |
2017-05-12 ⋅ Comae ⋅ Matt Suiche @online{suiche:20170512:wannacry:f79fed5,
author = {Matt Suiche},
title = {{WannaCry — The largest ransom-ware infection in History}},
date = {2017-05-12},
organization = {Comae},
url = {https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58},
language = {English},
urldate = {2020-01-06}
}
WannaCry — The largest ransom-ware infection in History WannaCryptor |
2017-05-12 ⋅ G Data ⋅ G Data @online{data:20170512:warning:162cfc4,
author = {G Data},
title = {{Warning: Massive "WannaCry" Ransomware campaign launched}},
date = {2017-05-12},
organization = {G Data},
url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign},
language = {English},
urldate = {2020-01-13}
}
Warning: Massive "WannaCry" Ransomware campaign launched WannaCryptor |
2017-05-12 ⋅ The Moscow Times ⋅ The Moscow Times @online{times:20170512:wcry:10ff3fa,
author = {The Moscow Times},
title = {{‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network}},
date = {2017-05-12},
organization = {The Moscow Times},
url = {https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984},
language = {English},
urldate = {2019-12-05}
}
‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network WannaCryptor |
2017-05-12 ⋅ Emsisoft ⋅ Holger Keller @online{keller:20170512:global:2ee68f6,
author = {Holger Keller},
title = {{Global WannaCry ransomware outbreak uses known NSA exploits}},
date = {2017-05-12},
organization = {Emsisoft},
url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/},
language = {English},
urldate = {2019-12-10}
}
Global WannaCry ransomware outbreak uses known NSA exploits WannaCryptor |
2017-05-12 ⋅ KrebsOnSecurity ⋅ Brian Krebs @online{krebs:20170512:uk:11a7e5a,
author = {Brian Krebs},
title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}},
date = {2017-05-12},
organization = {KrebsOnSecurity},
url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/},
language = {English},
urldate = {2020-01-06}
}
U.K. Hospitals Hit in Widespread Ransomware Attack WannaCryptor |
2017-05-12 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20170512:wannacry:b24b188,
author = {GReAT},
title = {{WannaCry ransomware used in widespread attacks all over the world}},
date = {2017-05-12},
organization = {Kaspersky Labs},
url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/},
language = {English},
urldate = {2019-12-20}
}
WannaCry ransomware used in widespread attacks all over the world WannaCryptor |
2017-05-12 ⋅ Avast ⋅ Jakub Křoustek @online{koustek:20170512:wannacry:ff9bc08,
author = {Jakub Křoustek},
title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}},
date = {2017-05-12},
organization = {Avast},
url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today},
language = {English},
urldate = {2020-01-07}
}
WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today WannaCryptor |
2017-04-07 ⋅ Palo Alto Networks Unit 42 ⋅ Anthony Kasza, Micah Yates @online{kasza:20170407:blockbuster:0e430d3,
author = {Anthony Kasza and Micah Yates},
title = {{The Blockbuster Sequel}},
date = {2017-04-07},
organization = {Palo Alto Networks Unit 42},
url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/},
language = {English},
urldate = {2019-12-20}
}
The Blockbuster Sequel OpBlockBuster |
2017-04-04 ⋅ Kaspersky Labs ⋅ Kaspersky Lab @online{lab:20170404:chasing:b9789da,
author = {Kaspersky Lab},
title = {{Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies}},
date = {2017-04-04},
organization = {Kaspersky Labs},
url = {https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies},
language = {English},
urldate = {2019-12-24}
}
Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies Lazarus Group |
2017-04-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20170403:lazarus:033fcf7,
author = {GReAT},
title = {{Lazarus under the Hood}},
date = {2017-04-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/lazarus-under-the-hood/77908/},
language = {English},
urldate = {2019-12-20}
}
Lazarus under the Hood Lazarus Group |
2017-04-03 ⋅ Threatpost ⋅ Michael Mimoso @online{mimoso:20170403:lazarus:c824fd6,
author = {Michael Mimoso},
title = {{Lazarus APT Spinoff Linked to Banking Hacks}},
date = {2017-04-03},
organization = {Threatpost},
url = {https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/},
language = {English},
urldate = {2020-01-10}
}
Lazarus APT Spinoff Linked to Banking Hacks Lazarus Group |
2017-04-03 ⋅ Kaspersky Labs ⋅ GReAT @online{great:20170403:lazarus:689432c,
author = {GReAT},
title = {{Lazarus under the Hood}},
date = {2017-04-03},
organization = {Kaspersky Labs},
url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/},
language = {English},
urldate = {2019-12-20}
}
Lazarus under the Hood Alreay DYEPACK |
2017-02-25 ⋅ Financial Security Institute ⋅ Kyoung-Ju Kwak (郭炅周) @techreport{:20170225:silent:5a11e12,
author = {Kyoung-Ju Kwak (郭炅周)},
title = {{Silent RIFLE: Response Against Advanced Threat}},
date = {2017-02-25},
institution = {Financial Security Institute},
url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf},
language = {English},
urldate = {2020-03-04}
}
Silent RIFLE: Response Against Advanced Threat Ghost RAT |
2017-02-20 ⋅ BAE Systems ⋅ Sergei Shevchenko @online{shevchenko:20170220:lazarus:c608fd5,
author = {Sergei Shevchenko},
title = {{Lazarus’ False Flag Malware}},
date = {2017-02-20},
organization = {BAE Systems},
url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html},
language = {English},
urldate = {2019-12-20}
}
Lazarus’ False Flag Malware NACHOCHEESE |
2017-02-16 ⋅ ESET Research ⋅ Peter Kálnai @online{klnai:20170216:demystifying:7ae8785,
author = {Peter Kálnai},
title = {{Demystifying targeted malware used against Polish banks}},
date = {2017-02-16},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/},
language = {English},
urldate = {2019-11-14}
}
Demystifying targeted malware used against Polish banks HOTWAX NACHOCHEESE |
2017-02-12 ⋅ Symantec ⋅ A L Johnson @online{johnson:20170212:attackers:c338fa3,
author = {A L Johnson},
title = {{Attackers target dozens of global banks with new malware}},
date = {2017-02-12},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware},
language = {English},
urldate = {2020-04-21}
}
Attackers target dozens of global banks with new malware Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group |
2017-02-12 ⋅ Symantec ⋅ Symantec Security Response @online{response:20170212:attackers:2fdd5b5,
author = {Symantec Security Response},
title = {{Attackers target dozens of global banks with new}},
date = {2017-02-12},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0},
language = {English},
urldate = {2020-01-08}
}
Attackers target dozens of global banks with new Lazarus Group |
2017-01-05 ⋅ ESET Research ⋅ Robert Lipovsky, Peter Kálnai @online{lipovsky:20170105:killdisk:5d49eac,
author = {Robert Lipovsky and Peter Kálnai},
title = {{KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt}},
date = {2017-01-05},
organization = {ESET Research},
url = {https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt},
language = {English},
urldate = {2022-08-25}
}
KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt KillDisk Sandworm |
2017 ⋅ Github (rain-1) ⋅ rain1, Epivalent @online{rain1:2017:wannacrywannadecrypt0r:53d1c73,
author = {rain1 and Epivalent},
title = {{WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm}},
date = {2017},
organization = {Github (rain-1)},
url = {https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168},
language = {English},
urldate = {2019-11-29}
}
WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm WannaCryptor |
2016-12-13 ⋅ ESET Research ⋅ Anton Cherepanov @online{cherepanov:20161213:rise:057c5f4,
author = {Anton Cherepanov},
title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}},
date = {2016-12-13},
organization = {ESET Research},
url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks},
language = {English},
urldate = {2022-08-25}
}
The rise of TeleBots: Analyzing disruptive KillDisk attacks KillDisk TeleBot Sandworm |
2016-12-13 ⋅ ESET Research ⋅ Anton Cherepanov @online{cherepanov:20161213:rise:d6ee3c1,
author = {Anton Cherepanov},
title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}},
date = {2016-12-13},
organization = {ESET Research},
url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/},
language = {English},
urldate = {2019-12-20}
}
The rise of TeleBots: Analyzing disruptive KillDisk attacks Credraptor KillDisk TeleBot |
2016-06-03 ⋅ FireEye ⋅ Yin Hong Chang, Sudeep Singh @online{chang:20160603:sends:176f9ab,
author = {Yin Hong Chang and Sudeep Singh},
title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}},
date = {2016-06-03},
organization = {FireEye},
url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html},
language = {English},
urldate = {2019-12-20}
}
APT Group Sends Spear Phishing Emails to Indian Government Officials BreachRAT DarkComet Operation C-Major |
2016-05-26 ⋅ Symantec ⋅ Symantec Security Response @online{response:20160526:swift:a8d8898,
author = {Symantec Security Response},
title = {{SWIFT attackers’ malware linked to more financial attacks}},
date = {2016-05-26},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks},
language = {English},
urldate = {2020-01-07}
}
SWIFT attackers’ malware linked to more financial attacks Contopee Lazarus Group |
2016-05-26 ⋅ Symantec ⋅ Security Response @online{response:20160526:swift:fe259bf,
author = {Security Response},
title = {{SWIFT attackers’ malware linked to more financial attacks}},
date = {2016-05-26},
organization = {Symantec},
url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks},
language = {English},
urldate = {2020-04-21}
}
SWIFT attackers’ malware linked to more financial attacks Contopee Sierra(Alfa,Bravo, ...) Lazarus Group |
2016-05-20 ⋅ Reuters ⋅ Tom Bergin, Nathan Layne @online{bergin:20160520:special:46b3cc4,
author = {Tom Bergin and Nathan Layne},
title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}},
date = {2016-05-20},
organization = {Reuters},
url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD},
language = {English},
urldate = {2019-12-17}
}
Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network Lazarus Group |
2016-05-16 ⋅ Bankinfo Security ⋅ Mathew J. Schwartz @online{schwartz:20160516:vietnamese:0730aab,
author = {Mathew J. Schwartz},
title = {{Vietnamese Bank Blocks $1 Million SWIFT Heist}},
date = {2016-05-16},
organization = {Bankinfo Security},
url = {https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105},
language = {English},
urldate = {2020-01-08}
}
Vietnamese Bank Blocks $1 Million SWIFT Heist Lazarus Group |
2016-05-15 ⋅ Trend Micro ⋅ Martin Roesler @online{roesler:20160515:what:36c2071,
author = {Martin Roesler},
title = {{What We Can Learn From the Bangladesh Central Bank Cyber Heist}},
date = {2016-05-15},
organization = {Trend Micro},
url = {https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/},
language = {English},
urldate = {2020-01-13}
}
What We Can Learn From the Bangladesh Central Bank Cyber Heist Lazarus Group |
2016-04-22 ⋅ Cylance ⋅ Isaac Palmer @online{palmer:20160422:ghost:dda6514,
author = {Isaac Palmer},
title = {{The Ghost Dragon}},
date = {2016-04-22},
organization = {Cylance},
url = {https://blog.cylance.com/the-ghost-dragon},
language = {English},
urldate = {2020-01-08}
}
The Ghost Dragon Ghost RAT |
2016-03-07 ⋅ Github (xl7dev) ⋅ xl7dev @online{xl7dev:20160307:redhat:5d504f1,
author = {xl7dev},
title = {{RedHat Hacker.asp}},
date = {2016-03-07},
organization = {Github (xl7dev)},
url = {https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp},
language = {English},
urldate = {2020-12-16}
}
RedHat Hacker.asp RedHat Hacker WebShell |
2016-02-24 ⋅ Threatpost ⋅ Michael Mimoso @online{mimoso:20160224:operation:811ccca,
author = {Michael Mimoso},
title = {{Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group}},
date = {2016-02-24},
organization = {Threatpost},
url = {https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/},
language = {English},
urldate = {2020-01-06}
}
Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group Lazarus Group |
2016-02 ⋅ Novetta ⋅ Novetta @techreport{novetta:201602:operation:c3cadae,
author = {Novetta},
title = {{Operation Blockbuster}},
date = {2016-02},
institution = {Novetta},
url = {https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf},
language = {English},
urldate = {2020-01-13}
}
Operation Blockbuster Lazarus Group |
2016-02 ⋅ Blue Coat Systems Inc ⋅ Snorre Fagerland @online{fagerland:201602:from:78bc745,
author = {Snorre Fagerland},
title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}},
date = {2016-02},
organization = {Blue Coat Systems Inc},
url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4},
language = {English},
urldate = {2020-08-18}
}
From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover Joanap Sierra(Alfa,Bravo, ...) |
2015-10-26 ⋅ Symantec ⋅ Symantec Security Response @online{response:20151026:duuzer:49ffa2d,
author = {Symantec Security Response},
title = {{Duuzer back door Trojan targets South Korea to take over computers}},
date = {2015-10-26},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers},
language = {English},
urldate = {2020-01-09}
}
Duuzer back door Trojan targets South Korea to take over computers Lazarus Group |
2015-10-26 ⋅ Symantec ⋅ A L Johnson @online{johnson:20151026:duuzer:e87f194,
author = {A L Johnson},
title = {{Duuzer back door Trojan targets South Korea to take over computers}},
date = {2015-10-26},
organization = {Symantec},
url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments},
language = {English},
urldate = {2020-04-21}
}
Duuzer back door Trojan targets South Korea to take over computers Brambul Duuzer Joanap Lazarus Group |
2015-09-10 ⋅ FireEye ⋅ Genwei Jiang, Josiah Kimble @techreport{jiang:20150910:hangul:2e0fc13,
author = {Genwei Jiang and Josiah Kimble},
title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}},
date = {2015-09-10},
institution = {FireEye},
url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf},
language = {English},
urldate = {2020-01-13}
}
Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors HOPLIGHT |
2014-12-19 ⋅ US-CERT ⋅ US-CERT @online{uscert:20141219:alert:b74115d,
author = {US-CERT},
title = {{Alert (TA14-353A): Targeted Destructive Malware}},
date = {2014-12-19},
organization = {US-CERT},
url = {https://www.us-cert.gov/ncas/alerts/TA14-353A},
language = {English},
urldate = {2020-03-19}
}
Alert (TA14-353A): Targeted Destructive Malware Sierra(Alfa,Bravo, ...) |
2014-12-08 ⋅ Trend Micro ⋅ Trend Micro @online{micro:20141208:hack:6a3ba20,
author = {Trend Micro},
title = {{The Hack of Sony Pictures: What We Know and What You Need to Know}},
date = {2014-12-08},
organization = {Trend Micro},
url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know},
language = {English},
urldate = {2020-01-08}
}
The Hack of Sony Pictures: What We Know and What You Need to Know Lazarus Group |
2013-06-26 ⋅ Symantec ⋅ Security Response @online{response:20130626:four:abdfea2,
author = {Security Response},
title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}},
date = {2013-06-26},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war},
language = {English},
urldate = {2020-01-10}
}
Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War Lazarus Group |
2013-06-26 ⋅ Symantec ⋅ Symantec Security Response @online{response:20130626:four:cd9ccb5,
author = {Symantec Security Response},
title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}},
date = {2013-06-26},
organization = {Symantec},
url = {https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war},
language = {English},
urldate = {2020-04-21}
}
Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War Lazarus Group |
2013-05-29 ⋅ Symantec ⋅ Lionel Payet @online{payet:20130529:south:3242988,
author = {Lionel Payet},
title = {{South Korean Financial Companies Targeted by Castov}},
date = {2013-05-29},
organization = {Symantec},
url = {https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov},
language = {English},
urldate = {2020-04-21}
}
South Korean Financial Companies Targeted by Castov Lazarus Group |
2013-05-28 ⋅ Symantec ⋅ Lionel Payet @online{payet:20130528:south:97facdb,
author = {Lionel Payet},
title = {{South Korean Financial Companies Targeted by Castov}},
date = {2013-05-28},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov},
language = {English},
urldate = {2020-01-06}
}
South Korean Financial Companies Targeted by Castov Lazarus Group |
2013-03-20 ⋅ The New York Times ⋅ Choe Sang-Hun @online{sanghun:20130320:computer:bc0bf29,
author = {Choe Sang-Hun},
title = {{Computer Networks in South Korea Are Paralyzed in Cyberattacks}},
date = {2013-03-20},
organization = {The New York Times},
url = {https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html},
language = {English},
urldate = {2020-01-13}
}
Computer Networks in South Korea Are Paralyzed in Cyberattacks Lazarus Group |
2012-10-05 ⋅ Malwarebytes ⋅ Adam Kujawa @online{kujawa:20121005:dark:192d4aa,
author = {Adam Kujawa},
title = {{Dark Comet 2: Electric Boogaloo}},
date = {2012-10-05},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/},
language = {English},
urldate = {2019-12-20}
}
Dark Comet 2: Electric Boogaloo DarkComet |
2012-06-21 ⋅ Contagio Dump ⋅ Mila Parkour @online{parkour:20120621:rat:2186087,
author = {Mila Parkour},
title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}},
date = {2012-06-21},
organization = {Contagio Dump},
url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html},
language = {English},
urldate = {2019-12-20}
}
RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army BlackShades DarkComet Terminator RAT |
2012-06-09 ⋅ Malwarebytes ⋅ Adam Kujawa @online{kujawa:20120609:you:c8d15e0,
author = {Adam Kujawa},
title = {{You dirty RAT! Part 1: DarkComet}},
date = {2012-06-09},
organization = {Malwarebytes},
url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/},
language = {English},
urldate = {2019-12-20}
}
You dirty RAT! Part 1: DarkComet DarkComet |
2012 ⋅ Norman ASA ⋅ Snorre Fagerland @techreport{fagerland:2012:many:c938856,
author = {Snorre Fagerland},
title = {{The many faces of Gh0st Rat}},
date = {2012},
institution = {Norman ASA},
url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf},
language = {English},
urldate = {2019-12-20}
}
The many faces of Gh0st Rat Ghost RAT |
2011-06-29 ⋅ Symantec ⋅ John McDonald @online{mcdonald:20110629:inside:b955948,
author = {John McDonald},
title = {{Inside a Back Door Attack}},
date = {2011-06-29},
organization = {Symantec},
url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack},
language = {English},
urldate = {2020-04-21}
}
Inside a Back Door Attack Ghost RAT Dust Storm |
2011-03-11 ⋅ Symantec ⋅ Shunichi Imano @online{imano:20110311:trojankoredos:414e359,
author = {Shunichi Imano},
title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}},
date = {2011-03-11},
organization = {Symantec},
url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise},
language = {English},
urldate = {2020-04-21}
}
Trojan.Koredos Comes with an Unwelcomed Surprise Lazarus Group |
2011-03-11 ⋅ Symantec ⋅ Shunichi Imano @online{imano:20110311:trojankoredos:c3aa3c6,
author = {Shunichi Imano},
title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}},
date = {2011-03-11},
organization = {Symantec},
url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise},
language = {English},
urldate = {2020-01-10}
}
Trojan.Koredos Comes with an Unwelcomed Surprise Lazarus Group |
|